Lack of CSRF protection

[carsonchan12345]

Most crucial functions lack CSRF protection (e.g., CSRF token on admin function). Which allows CSRF attack.

[darkman97i]

That will be fixed in the next major release of the OpenKM. We estimate before the end of the year we will got it released... if you meanwhile wish to patch the current code yourself, you are welcome. The status of the current CE is frozen and only will be fixed by us if appears a radical security issue.

[necouchman]

@darkman97i Do I read correctly that this means you do not intend to provide a Community Edition going forward? Maybe you could update your web page and indicate that, or just remove the "Community Edition" and "Open Source" claims, entirely?

[darkman97i]

I have not said it. I said the current shared code is frozen for us, this branch will no longer updated by us. You have the code and if you wish you can fix it -> that's also the idea of Open Source code, third-party people collaborate on it.

The current code is frozen because we are working on a major release. The major release never comes from the current CE code it comes from one of the professional edition branches.