Security Patches Released for IP.Gallery 4.2.1 and 5.0.5

XSS vulnerability patched in IP.Gallery

Invision Power Services has released patches to address a cross-site scripting (XSS) vulnerability in IP.Gallery 4.2.1 and 5.05.

The XSS security hole is related to Shockwave Flash (SWF) file uploads.

“Because SWF files allow arbitrary script to execute within the context of the site they are hosted on, we are releasing a patch today which disables SWF files from being accepted by IP.Gallery by default,” the advisory published by IPS reveals.

Users who still want to allow SWF files can follow the instructions provided by the company. However, unless only trusted users are allowed to submit files to the IP.Gallery installation, IPS advises against doing so.

IPS Community and Cloud customers who are running a recent version of the IP.Board add-on don’t have to take any action. The patches are available on the IPS Community forum.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s