We've released a new maintenance update for PivotX. Since this release fixes a security-issue, it is a recommended upgrade for all PivotX 2.x websites. For former security related issues and patches, see the page dedicated to Security issues.
These are the changes since PivotX 2.3.8:
- A file upload vulnerability and various XSS issues on the admin pages. Mitigated by the fact that an attacker must have an PivotX account. All issues require that the attacker has a PivotX account/user, so for sites with multiple users, you will want these patched.
Other bug fixes:
- For flatfile databases:
- Adding excerpts to the output from getLatestPages so page excerpts are displayed on the dashboard.
- 'read_entries' should not change the current entry (since read_entries is used for other things than creating subweblogs).
- Bug fix in session cookie domain - any subdomain named "wwwX" (where X is any character) resulted in an invalid domain for the cookie.
- Set UTF-8 for debug window (and also give it a title).
The PivotX 2.3.9 release can be downloaded from this location: pivotx.net/files/pivotx_latest.zip (or pivotx.net/files/pivotx_latest.tgz, if you prefer.tgz files). For setup instructions, we point you to our documentation: Getting the files & installing. If you're having trouble downloading the files, you can also download them from our sourceforge mirror.