The developers of the open source social networking platform Elgg have released versions 1.8.17 and 1.7.20 to address three critical security holes and several functionality issues.
One of the vulnerabilities is a reflected cross-site scripting (XSS) flaw that impacts Elgg 1.8 installations. Another bug could have been leveraged to access the contents of sensitive files via a specially crafted request.
The third security fix addresses the problem of cryptographic keys generated with weak entropy. This is particularly problematic on Windows.
The issues have been reported by an anonymous user and by Mike Kasper. Those who find vulnerabilities in Elgg are advised to disclose them responsibly by sending an email to firstname.lastname@example.org.
Users are advised to update their installations as soon as possible. You can download Elgg from Softpedia’s Scripts section.