glFusion v1.4.x Security Issue


A Cross-site scripting (XSS) vulnerability has been found the File Management plugin used by the CKEditor in glFusion. XSS enables attackers to inject client-side script into Web pages viewed by other users. The issue was found by Mohammad Sikkandar Sha.

To resolve the issue - plesae remove the following directories from your glFusion system:

  • public_html/ckeditor/plugins/filemanager/connectors/php/inc/vendor/wideimage/demo
  • public_html/ckeditor/plugins/filemanager/connectors/php/inc/vendor/wideimage/test

You may delete all the files in the above directories and remove the directories without affecting the use of the File Manager plugin in CKEditor. These directories contain demo and test code and are not needed for normal use.

Please remove these directories as soon as possible.

 - The glFusion Support Team

 


by Mark

Mark is the main developer on glFusion. When not doing his real job and playing with his family, he really enjoys working on glFusion and the collaboration with the glFusion community.

Share It!