Security Vulnerability - All Exponent Versions - August 2016

Sunday, August 28, 2016 Tags: patch, security

There is a security vulnerability in Exponent 2.x found on August 26, 2016 reported by Balisong which could allow uploaded scripts to be executed.  It has been present in all versions of Exponent (2.x). The fix is:

  • Update to the latest version (v2.3.9) which will be released around September 1st. This is the recommended fix since it also addresses several security issues and other fixes not addressed in the patches to v2.2.3 nor v2.1.4.
  • If running a version 2.2.x installation and not wanting to update to the latest version, you should update to v2.2.3 (last release before major version update to v2.3.x) and install its latest patch (v2.2.3patch12). If you are already running v2.2.3, you'll want to install this patch to also correct some other issues.
  • If running a version prior to v2.2.0 (v2.0.x or v2.1.x) installation and not wanting to update to the latest version, you should update to v2.1.4 (last release before major version update to v2.2.x) and install its latest patch (v2.1.4patch9). If you are already running v2.1.4, you'll want to install this patch.
  • There is no easy manual method, but in simple terms we update/add the .htaccess files into the /files and /tmp folders and their subfolders