We've released a new maintenance update for PivotX. This release also fixes a few minor security-issues, so it is a recommended upgrade for all PivotX 2.x websites. For former security related issues and patches, see the page dedicated to Security issues.
These are the changes since PivotX 2.3.10:
- Now calling htmlspecialchars with ENT_QUOTES.
- Escaping some user controlled variables.
- Escape usage of PHP_SELF in form action.
- Bug- / security-fix in getPivotxURL().
- Using absolute paths everywhere in the head.
- Bug fix in check of allowed file extensions.
- No longer restore PHP session via session-id passing in url as it is insecure. (Partly reverting rev 3179.)
- Fixing some warnings / notices, for newer PHP versions.
- Properly escape user-controlled variables in the file explorer.
- Moblog fixes - debugging and handling of mails with images from the default iphone mail app.
The PivotX 2.3.11 release can be downloaded from this location: pivotx.net/files/pivotx_latest.zip (or pivotx.net/files/pivotx_latest.tgz, if you prefer.tgz files). For setup instructions, we point you to our documentation: Getting the files & installing. If you're having trouble downloading the files, you can also download them from our sourceforge mirror.