we have just released CMSimple_XH 1.6.6. This release fixes a severe vulnerability and a few bugs, and updates to the latest jQuery4CMSimple and hi_UpdateCheck.
Updating is strongly recommended.
Changelog:
- fixed an Arbitrary Code Execution vulnerability (all versions since at least CMSimple_XH 1.0[1] are affected)
- fixed bug, where plugin.css is refreshed on every request
- fixed regression bug, where error message regarding already sent headers was not shown anymore
- fixed bug, where HTML has been escaped twice in meta tags tab
- updated to jQuery4CMSimple 1.6
- updated to hi_UpdateCheck 1.3
As usual you have the following options:
- For new installations use the full installation package.
- For updating from CMSimple_XH 1.6.5 use the update package and follow the generic update instructions Additionally, heed the following specific update notes:
- Switch to the latest jQuery and jQueryUI in the configuration of the jQuery4CMSimple plugin
- For updating from CMSimple_XH 1.6 use the update package and follow the generic update instructions. Addtionally, heed the following specific update notes:
- With CMSimple_XH 1.6.1 we have moved the folders css/ and javascript/ to core/css/ resp. core/js, so you may have to delete the old folders manually after the update.
- In some cases spaces in the URL will be encoded differently (- instead of _). If you don't like that, change the config option Uri -> Word separator.
- If you are using meta_tags title, you have to review the titles of the respective pages. The new behavior is likely to be what you want, but check it anyway.
- Due to the changed heading level of the submenu, you might have to adapt your template's stylesheet.css if you have menu_levels not equal to 3.
- If you want to use userprelude.php you have to replace the index.php files of existing copies of 2lang with 2lang/index.php.
- Also heed the update notes for 1.6.5 to 1.6.6 above.
PS: [1] I've fixed the affected CMSimple_XH versions.