Security Advisory for ExpressionEngine installs prior to 2.2.0

by: Wes Baker on: 12/10/2012

An XSS vulnerability was brought to our attention that affects installations that began on versions older than ExpressionEngine 2.2.0. It involves the third-party swfupload JavaScript/Flash Upload Library that is no longer being used as of ExpressionEngine 2.2.0—which was released on June 22, 2011.

The solution is to upgrade to at least ExpressionEngine 2.2.0 (and preferably the latest version of ExpressionEngine) and to then delete the themes/cp_themes/default/images/swfupload_f9.swf file from your themes directory.

.(JavaScript must be enabled to view this email address) or share your feedback on this entry with @ellislab on Twitter.

ExpressionEngine News

#eecms, #events, #releases