Skip to content

Zenario 9.3.57474
Compare
Choose a tag to compare
@TribalSystems TribalSystems released this 26 Oct 13:45
· 19 commits to latest-public-release since this release
9.3.57474
dee9b4f

This release contains a critical security patch for file uploads in User Forms, anyone
using Zenario 9.3 should update as soon as possible.

Critical security patch

This security update fixes a remote code execution vulnerability in Zenario's User Form
module.

If you had file uploads enabled in a contact form or other user form, it was previously
possible for an attacker to exploit a remote code execution vulnerability.

This update patches this. We recommend everyone update their copy of Zenario as soon as
possible.

Other security updates

This update also patches a couple of minor security vulnerabilities in admin mode.

There was a small hole in our SVG sanitiser script, which mean it was still possible to
create a SVG with a XSS attack hidden inside and upload it, where we accepted SVG uploads.

We've also fixed a small issue where the administrator's name was not being HTML escaped
on the diagnostics screen.

Both of these issues are not considered critical as someone would already need
administrator access before they could exploit them.

Fixes for SVGs

This release contains a fix for a bug that affected how Zenario handled certain SVG files.

We were not reading the metadata of some SVG files correctly, the end result being that
the CMS thought their width and height were 100 × 100.

The width and height of these SVG files should now be read correctly. (However you will
need to re-upload any affected SVGs to trigger an update.)

PHP 8.1

This update also includes several fixes for PHP errors that stopped Zenario from running
on PHP version 8.1.

This includes several database errors that would cause an installation to fail when
running the installer on PHP version 8.1.

Miscellaneous

All menu plugins now say which menu section they are using in the slot drop-down menu.

Where Banner plugins that use images from the image library, we've added quick links to
the image properties and the image in Organizer for each image into the slot drop-down
menu.

Fixed a bug where the "rollover" images would not work properly in the banner plugin if
a certain combination of plugin settings was chosen.

Fixed a bug with plugins that offer a zip download of multiple files, where if an admin
went and renamed a file's name, the file would not appear in the zip downloads.

Assets 2