Share

glFusion v1.1.2 and earlier Security Fix

Security

There has been an vulnerability identified in all current glFusion versions that will allow an attacker to expose the password hash for users on your site, including the Admin user.  This could lead to an attacker successfully logging into your site using those compromised credentials.

 

All glFusion users should replace the listfactory.class.php source file with this updated version which will remove the vulnerability:

private/system/classes/listfactory.class.php

This exploit has highlighted some additional concerns that we are currently investigating and will post any additional updates when necessary.