Please disregard the 'View article...' shown at the bottom of many posts as this is the result of restoring old forum posts from a backup.

v2.4.0patch1 released to fix several issues including multiple security vulnerabilities

edited November 2016 in Announcements

This patch fixes several issues in the v2.4.0 release and addresses a number of security vulnerabilities found in all previous versions of Exponent CMS v2.x. We strongly encourage all Exponent installations be upgraded to v2.4.0 with this patch as soon as practical! Patch #1 to v2.4.0 is found at

v240patch1 adds these features to v240:

  • adds form control description option to calendarcontrol, popupdatetimecontrol, and yuicalendarcontrol

v240patch1 fixes these issues in v240:

  • fix unable to display multiple recaptcha widgets per page (multiple forms per page)
  • fix anomalies with event feedback email from announcement view
  • fix some issues with the new 'output as link' form control option and some form showall portfolio view issues
  • regression fix (v2.4.0) file upload logic error...would rename '_' to '..'
  • regression fix expPaginator would only return a single page if called with sql statement (total records was set to page limit)
  • fix security vulnerability to bypass permissions using method name in wrong case, reported by fyth
  • fix security vulnerability attempt to modify config.php (logic was incorrect), reported by xiaojunjie
  • fix security vulnerability to get user list, reported by pang0lin
  • fix security vulnerability in search method, reported by pang0lin
  • fix security vulnerability to editing addresses, countries, and regions; reported by pang0lin
  • fix security vulnerability to reranking pages; reported by kyohpc
  • fix security vulnerability update group; reported by DM_
  • fix security vulnerability in order search and editor preview; reported by fyth
  • fix security vulnerability in ratings; reported by fyth
  • prevent swf/flash uploads in elFinder to prevent malicious code upload; reported by DM_
  • fix many sql injection security vulnerabilities which failed to account for sef urls; reported by many people
  • fix failure to output jquery addon stylesheets within ajax call
  • fix bs3 popupdatetimecontrol initial display if system date/time format is not consistent with other bs3 date time widgets

v240patch1 updates these 3rd party libraries in v240:

  • update jstree to v3.3.3
  • update owl carousel to v2.2.0
Sign In or Register to comment.