Security patches have been released for Zenario 9.0, 9.1, 9.2 and 9.3.
The releases contain a critical security patch for file uploads in User Forms, anyone
using Zenario at one of these versions should update as soon as possible.
Critical security patch
This security update fixes a remote code execution vulnerability in Zenario's User Form
module.
If you had a form on a site that contained a file upload field, it was previously possible for an attacker to exploit a remote code execution vulnerability.
This update patches this. We recommend everyone update their copy of Zenario as soon as
possible.
If you have a site running on Zenario before Zenario version 9.0, you should upgrade, ideally to Zenario 9.3.
Other security updates
This update also patches a some minor security vulnerabilities in admin mode.
There was a small hole in the SVG sanitiser script, which meant it was still possible in certain places for an administrator to upload an SVG which contained an XSS attack inside it.
We've also fixed a small issue where the administrator's name was not being HTML escaped
on the diagnostics screen.
Both of these issues are not considered critical as someone would already need
administrator access before they could exploit them.
Miscellaneous
Some fixes for PHP errors in PHP 8.0 have been patched back into this version of Zenario.
However, we would still recommend running the most recent version of Zenario (9.3 or later) if you need support for PHP 8.
