7 June 2014
PyroCMS version 2.2.5 is now available.Upgrading to PyroCMS 2.2.5
PyroCMS 2.2.5 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply PyroCMS updates as new versions are released, or use Installatron's Clone feature to duplicate an existing PyroCMS install to test the 2.2.5 upgrade prior to applying it live. Get started managing your PyroCMS installations with InstallatronWhat's New in PyroCMS 2.2.5
This vulnerability effects all CodeIgniter installations (PyroCMS is built on top of CodeIgniter). On some server setups, this vulnerability allows a user to crack the "encrypted" session cookie and inject their own data into the session key. This can happen on any application running on top of CodeIgniter which does not have the mcrypt extension installed.
A good piece of news is that PyroCMS uses the database as a store for its session data, so all that can really be done is that the sessionid can be injected into the session cookie. This _can lead to a session hijack if a malicious user can guess a valid session_id, but the chances of that are slim. Regardless, it could happen, so updating is required.