The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.34 or older update to this latest version as soon as possible.How to update
Users running versions prior to 1.5.36 should update immediately by downloading
the latest version from the download page
and following the upgrade steps in the documentation
If you have problems with this update, please use the Update support board
. Do not post your issues to this announcement thread - your post will be deleted without notice.Why was cpg1.5.36 released?
The release covers a recently discovered XSS vulnerability that allows (if unpatched) a malevolent visitor to include own script routines under certain conditions. Furthermore, an open redirect issue and a directory enumeration issue have been fixed.
Additionally, cpg1.5.36 includes fixes for the following non-security related issues:
- Strip whitespace from imported IPTC title and caption (thread)
- Fixed icon when deleting picture from an album (thread)
- Made phpBB 3 bridge compatible with phpBB version 3.1.x (thread)
- Updated Italian language file (thread)
- Fixed database error for non-existing files (thread)
- Fixed typo in French docs (thread)
Thanks to Mahendra
for discovering the vulnerability.
The Coppermine Team