23 February 2015
CMS Made Simple version 1.11.13 is now available (security release).Upgrading to CMS Made Simple 1.11.13
CMS Made Simple 1.11.13 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply CMS Made Simple updates as new versions are released, or use Installatron's Clone feature to duplicate an existing CMS Made Simple install to test the 1.11.13 upgrade prior to applying it live. Get started managing your CMS Made Simple installations with InstallatronWhat's New in CMS Made Simple 1.11.13
This is an important security release! The issues we found were related to reliable ways to generate a full path disclosure, and to XSS vulnerabilities, and potential flooding and denial of service attacks in the News fesubmit feature. Additionally, though minor, we fixed an XSS vulnerability in the add and edit bookmark functionality in the admin interface. These vulnerabilities apply to all versions of CMSMS.
The News fesubmit feature that allows site visitors to submit News articles was particularly vulnerable. Although we do not think that this feature is used much, it is available, and all CMSMS sites that use the News module, or have it enabled, are vulnerable to attack. The new version of News now has an option to enable the fesubmit feature, which is OFF by default. This means that upon upgrade, the sites that do use the fesubmit feature of News must explicitly enable it in the module settings.
Because of the important nature of these security issues, we recommend that everybody upgrade all of their websites to CMSMS 1.11.13 as soon as possible. As per our support policy, the only supported versions of CMSMS as of this release are 1.11.13 and 1.11.12.