Skip to content

@garvinhicking garvinhicking released this Aug 16, 2018 · 36 commits to 2.1 since this release

This release addresses several security issues that have been reported to us by Hanno Boeck, Brian Carpenter, oreamnos and Julio Cesar. Many thanks for this!

More specifcally:

  • Ensure URL parameter casting for RSS and blog entry limits to prevent possible SQL injection inside the LIMIT statement part
  • Prevent XSS in the "Edit entries" panel
  • Prevent sending comment notifications to more than one email address
  • Disable exit.php-Tracking for open URL redirection, unless the trackexits plugin is specifically configured to do so

The release also addresses a new feature for a "legal" plugin property bag attribute (usable for GDPR/DSGVO plugin information) and by default disables subToMe service to prevent GDPR issues.

(MD5: 4e0fe2a842077293f0edd8cbe3e5e8d8)

Assets 3
You can’t perform that action at this time.