A serious vulnerability has been identified in the back-end area that has been addressed in Build 437. We strongly recommend performing an update to this version.
- Added dot notation support to
attachOnUploadproperty to the
FileUploadFormWidget to attach the file directly to the parent record as soon as the upload completes instead of waiting for deferred binding to attach the file
cache.codeParserDataCacheKeyconfiguration item to prevent issues when running multiple OctoberCMS instances attached to the same cache server
- Fixed infinite loop that could be triggered in the AuthManager
- Improved the SectionParser logic, fixing a bug with Markdown headers
- Improved PHP 7.2 support
- Prevent template files from being loaded outside of the application root
- Prevent invalid folders from being created in the Media Library
- Improved Polish translation
- Improved German translation
Important Security Fix
These security issues affect all websites running October CMS Build 436 and earlier where the back-end URL is known and exposed to everyone. There are two issues fixed by this build:
- A user is able to execute PHP files stored on the server without authentication via the back-end.
- A back-end user is able to store XSS and potentially take control of another admin's account.
If you are running Build 436 or less, perform a system update and ensure you are running Build 437 or above.
Using the back-end interface
Navigate to Settings > Updates & Plugins and select Check for updates, follow the update process to complete the upgrade.
Using the command line interface
Using the CLI run the following command:
php artisan october:update
Or if you are using composer:
If you are unable to perform an update for any reason, you may patch the following files manually by referencing this commit on GitHub.