General Information
On 23rd of September 2014 the following was released:
Modules
- ISL Groop 3.0.5 (release_date=2014-07-23, revision=36276)
Update availability
All updates have release date set to 2014-07-23. Your ESS will need to be same or higher to be able to update your server. This release is available to all countries except Japan.
Upgrading to new version
This are server side updates so hosted service users do not need to do anything.
Server license users please check Upgrading Server License
Improvements
New features
ISL Groop - Module - Use new file override framework [ISLGROOP-476] More
DescriptionRemoved custom implementation of overrides for user pages in ISL Groop module. Previous version of the module supported separate overriding functionality of user pages, the new module supports only the standard override method which is also used by other modules. The new feature also fixes a security issue found in ISL Groop overriding files functionality.
Example of new implementation usage:
objects/web_content_[_subtemplate_SUBTEMPLATE_]FILEBASE_VERSION.FILEENDING (objects/web_content_usersxyzbubu_1.html)
LSE Leading Security Experts GmbH opened a CVE-2014-7165 which is resolved with this feature being implemented.
Defect fixes
ISL Groop - Module - XSS HTML injection is possible in input fields [ISLGROOP-477] More
DescriptionInput fields in ISL Groop web interface did not correctly escape HTML content, thus XSS HTML injection was possible. All input fields are now correctly escaped eliminating the option for XSS HTML injection.
The defect was fixed.
LSE Leading Security Experts GmbH opened a CVE-2014-7166 which is resolved with this defect fix.