Security Vulnerability - All Exponent Versions - September 2016 (Updated)

dleffler

There are several security vulnerabilities in Exponent 2.x found on September 12 and 13, 2016, reported by Manuel Garcia Cardenas and PKAV TEAM which could allow possible SQL injections. They have been present in all versions of Exponent (2.x). The fix is:

• Update to the latest version (v2.3.9) and the latest patch (v2.3.9patch1) which will be released around September 13th. This is the recommended fix since it also addresses several security issues and other fixes not addressed in the patches to v2.2.3 nor v2.1.4.
• If running a version 2.2.x installation and not wanting to update to the latest version, you should update to v2.2.3 (last release before major version update to v2.3.x) and install its latest patch (v2.2.3patch14). If you are already running v2.2.3, you'll want to install this patch to also correct some other issues.
• If running a version prior to v2.2.0 (v2.0.x or v2.1.x) installation and not wanting to update to the latest version, you should update to v2.1.4 (last release before major version update to v2.2.x) and install its latest patch (v2.1.4patch11). If you are already running v2.1.4, you'll want to install this patch. It should be noted that v2.1.4 will NOT run on any of the currently maintained versions of PHP (v5.6 and v7.0).
• There is no manual method,

dleffler

Use the form at http://www.exponentcms.org/exponent-bugs.htm