Critical security patch

This release contains a security patch related to the usage of Twig code in the Twig Snippet plugin, and in the site-wide <head> and <body>.

The Twig template engine currently has a vulnerability with how some of its filters are implemented, where it is possible for a designer or an administrator who is aware of the vulnerability to execute arbitrary CLI code on the server.

This update disables the ability for designers/administrators to call the affected filters.

Other fixes

We've fixed a visual glitch where administrators could always see the "Delete archived versions" and "Rescan text/image extract" buttons in the Content Items panel in Organizer, even if they didn't have the permissions needed to actually press them.

Thanks to...

larchik from T.Hunter for finding this.

Close menu