^
Navigate CMS v2.9.1 r1487 (2020/06) Sign up Sign in Your account Sign out

Navigate CMS Update: 2.9

01
Jun '20
0
Comments

The Navigate CMS team has just released a software update which includes a lot of important security fixes. Most of the vulnerabilities detected have been reported by the security researcher Gus Ralph (Twitter). We want to deeply thank Gus all the information and collaboration provided.

Full changelog:

+ i18n: added French translation placeholder
* i18n: updated Norwegian Bokmål translation with changes from weblate (thank you kingu)
+ i18n: added some new strings
* list webget: return empty string when element field date_to_display has no value
* feeds, file.class: try using cURL first instead of file_get_contents
* events: trigger an event with multiple binds now return an array of identified results
+ events: added "tinymce_add_content_event" to allow extensions add custom content (or nv tags) in the tinymce editor
+ navigate.js: adding content to tinymce now opens a dialog when multiple options are available
+ extensions: additional security checks for extension package uploads
* filter some order variables used on application lists
+ added csrf protection on all application forms, including the login page
* setup: filter APP_OWNER contents to prevent XSS attacks
* cfg/globals: prevent running the file on direct access
+ themes: additional security checks for theme package uploads
+ added library HTML Purifier v4.12.0
+ added csrf protection on file uploads
+ added CSRF protection on some ajax requests
+ HTML Purify some fields to prevent XSS attacks
* nvweb object: relative theme path files were not processed correctly after security measures added
+ added security token in GET requests that modify or remove items
* extensions: preinit events were ignored
+ included library URLify for PHP v1.2 (and its dependencies) using composer
* templates: added security checks and transliteration (PHP >= 7) when using manual file path location
* apply new security protocol for all cookies used: samesite=Lax

You can view all source code changes in our Github repository.

To auto update your Navigate CMS instance, sign in as an Administrator and access the Configuration > Update function. You may also download the update package from SourceForge and apply it manually.

 
InformationBlogDevelopment