Security Vulnerability - All Exponent Versions - June 2016
There are two security vulnerabilities in Exponent 2.x found on June 1, 2016. The first has been present in all versions of Exponent (2.x), and the second is found in all versions since and including v2.1.0. The fix(es) is:
- Update to the latest version (v2.3.8) and install the latest patch (v2.3.8patch3). This is the recommended fix since it also addresses several security issues and other fixes not addressed in the patches to v2.2.3 nor v2.1.4.
- If running a version 2.2.x installation and not wanting to update to the latest version, you should update to v2.2.3 (last release before major version update to v2.3.x) and install its latest patch (v2.2.3patch11). If you are already running v2.2.3, you'll want to install this patch to also correct some other issues.
- If running a version prior to v2.2.0 (v2.0.x or v2.1.x) installation and not wanting to update to the latest version, you should update to v2.1.4 (last release before major version update to v2.2.x) and install its latest patch (v2.1.4patch8). If you are already running v2.1.4, you'll want to install this patch.
- If you are unwilling to update to a newer version or the current version, you must delete these two files:
- /external/adminer/admin.php - which will disable the built-in database manager
- /framework/modules/pixidou/download.php - this file was never used by Exponent