Invision Power Services has released patches to address a cross-site scripting (XSS) vulnerability in IP.Gallery 4.2.1 and 5.05.
The XSS security hole is related to Shockwave Flash (SWF) file uploads.
“Because SWF files allow arbitrary script to execute within the context of the site they are hosted on, we are releasing a patch today which disables SWF files from being accepted by IP.Gallery by default,” the advisory published by IPS reveals.
Users who still want to allow SWF files can follow the instructions provided by the company. However, unless only trusted users are allowed to submit files to the IP.Gallery installation, IPS advises against doing so.
IPS Community and Cloud customers who are running a recent version of the IP.Board add-on don’t have to take any action. The patches are available on the IPS Community forum.