We are releasing a security patch. This patch addresses a CSRF vulnerability reported to us which allows someone with advanced knowledge the ability to take over an account by changing the email if the website allows HTML and if advanced code were injected to the website due to allowing HTML or iframes. We recommend that all SocialEngine PHP websites apply the patch as a precaution.
You don’t need to do a full upgrade. Follow these steps to just apply the patched file.
Changelog:
We recommend not allowing members to add iframes and only allowing HTML to be used by trusted members.
Should you decide to perform an upgrade we highly encourage all clients to do a complete backup of both files and database before performing upgrades. Please have the backup performed by your host or a developer if you’re not comfortable with performing it yourself. Always check with third party experts for compatibility with any products you use before upgrading.
Important: If you decide to do a full upgrade and are on version 4.9.4p1 or below, you will need to follow the special steps in the upgrading documents before upgrading and apply the patch mentioned there.
If you find any issues, please let us know by filing a bug report in our Bug Tracker. Security issues should be reported to our support desk by emailing us at support@socialengine.com.
We would like to extend our greatest appreciation to Sanjay Lendhar who brought this vulnerability to our attention via our support channel. It is with the help of our clients that we continue to improve.
With Great Appreciation,
The SocialEngine Team
Thanks for this!
Thank You