[Loris-dev] LORIS v16.1.2
David MacFarlane, Mr
david.macfarlane2 at mcgill.ca
Wed Nov 9 14:11:03 EST 2016
Hi LORIS users,
Xavier recently discovered a vulnerability in LORIS where people who aren't logged in to LORIS can access some AJAX scripts and still retrieve the data, despite being not logged in. The code that verifies the users' login status wasn't properly being verified (Many module's AJAX scripts already did their own separate permission checking, which still worked, but not all did.)
We've made LORIS v16.1.2 to fix the issue, and *strongly encourage* you to upgrade any production servers.
If you're unable to upgrade, the fix in question is here: https://github.com/aces/Loris/pull/2403/files
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20161109/19076891/attachment.html>
More information about the Loris-dev
mailing list