Security Advisory for ExpressionEngine installs prior to 2.2.0

0 comments

An XSS vulnerability was brought to our attention that affects installations that began on versions older than ExpressionEngine 2.2.0. It involves the third-party swfupload JavaScript/Flash Upload Library that is no longer being used as of ExpressionEngine 2.2.0—which was released on June 22, 2011.

The solution is to upgrade to at least ExpressionEngine 2.2.0 (and preferably the latest version of ExpressionEngine) and to then delete the themes/cp_themes/default/images/swfupload_f9.swf file from your themes directory.

Comments & Feedback

You must be logged in to comment on this blog post