Please disregard the 'View article...' shown at the bottom of many posts as this is the result of restoring old forum posts from a backup.

Updated, Fixed Patches Released for V2.3.1, V2.2.3, and V2.1.4

We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
* Fixes cross-site security issue

The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

v2.3.1patch4 fixes these issues in v2.3.1:
* !!! Fixes cross-site security issue
* Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
* Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
* Fixes issue with possible mangled meta tags (due to bad user input)
* Fixes issue where message queue wasn't always displayed
* Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
* Fixes shipping/billing calculator upgrade script to run on all upgrades
* Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
* Adds comment to .htaccess file to help with issues running from subfolder
* Fixes bad refs for .htaccess error documents
* Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
* Fix display of showlogin view for bootstrap3
* Fixes bad closing tag on new 'message' smarty function
* Fixes issue where MOTD item allowed setting of 'any month' was not allowed
* Fixes expSession to deal with mangled $user session variable
* Fixes expUtil::browser() method to work w/ php v5.2.1
* Fix for possible database manager write error reporting 'Invalid CSRF token'
* More graceful exit from an upgrade if the database is down
* Fixes styling of DataTables Tabletools for non-bootstrap views
* Now allows sorting by 'is admin' for manage user view
* Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

Therefore, the following patches (which may be available in the wild) are NOT recommended:
v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3


View article...
«1

Comments

  • The zip file for 2.3.1 cannot be expanded. Is it supposed to be more than 128KB in size? I've tried downloading it 3 times and it's never bigger than that. Also I see that's what size it shows on SorceForge as well.


    View article...
  • Working on re-uploading the v2.3.1patch4 file and v2.1.4patch6 files. They can also be found here https://github.com/exponentcms/exponent-cms/releases


    View article...
  • Should there be a fix for the File Manager too? I noticed after the faulty patch that I couldn't DELETE files in the File Manager anymore. I did install the new patch but it didn't bring back the ability to delete the files.

    The system says an error alert:
    "Some files were NOT deleted because JSON - Syntax error, malformed JSON"


    View article...
  • Is this the traditional File Manager or the new elFinder?


    View article...
  • Actually, I've found the issue and am working on a fix


    View article...
  • Thanks! No settings done by us for the File Manager when the error came, so standard as it comes when installing.


    View article...
  • I hope to have a new patch out this week...was a result/consequence of the recent patch


    View article...
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Thanks! No settings done by us for the File Manager when the error came, so standard as it comes when installing.
  • Actually, I've found the issue and am working on a fix
  • Is this the traditional File Manager or the new elFinder?
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Actually, I've found the issue and am working on a fix
  • Is this the traditional File Manager or the new elFinder?
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Actually, I've found the issue and am working on a fix
  • Is this the traditional File Manager or the new elFinder?
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Actually, I've found the issue and am working on a fix
  • Is this the traditional File Manager or the new elFinder?
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Actually, I've found the issue and am working on a fix
  • Is this the traditional File Manager or the new elFinder?
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Actually, I've found the issue and am working on a fix
Sign In or Register to comment.