News items tagged with "patch"

There is a security vulnerability in Exponent 2.x found on August 26, 2016 reported by Balisong which could allow uploaded scripts to be executed. It has been present in all versions of Exponent (2.x). The fix is:

This patch fixes several issues in the v2.3.7 release and v2.3.7 patch #1, patch#2, and patch#3.  It also provides several tweaks and even some new features, though the main focus is providing several regression fixes.  It should be noted that the new optional 'Upgrade permissions' upgrade scripts will attempt to lock down the site by fixing file and folder permissions (except for cgi-bin) which means also turning off the 'execute' permission.   It must be noted that this patch (like the previous patches to v2.3.7) will break any custom text module view templates using in-place editing.  Unlike previous patches, this patch file also includes all the 'installation' files in the event you secured your site by deleting or renaming the /install folder. Patch #4 to v2.3.7 is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.7-patch-4.zip/download​

This patch fixes a number of issues in the v2.3.5 and v2.3.5patch1 releases. The main fix is for a regression issue in v2.3.5 & v2.3.5patch1 which prevented ecommerce checkout. Patch #2 to v2.3.5 is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.5-patch-2.zip/download

We've gone ahead and released a new version (Christmas Consolidation) to help consolidate recent patches and reduce confusion.  Though this patch primarily addresses anomalies introduced with the recent XSS exploit fix, it also adds some new and updated features from the development code.