Skip to content

2.8.1

Compare
Choose a tag to compare
@texpert texpert released this 21 Aug 18:09
· 33 commits to master since this release
dae99dd

This release is fixing several security vulnerabilities! Please, upgrade ASAP!

What's Changed

  • Replace sass-rails with dartsass-sprockets
    • Remove sass and sass-rails gems from the main app's Gemfile when upgrading camaleon_cms to this version
  • Fix colorpicker missing admin asset, adding it to admin-manifest.css
  • Security fix: Mitigate arbitrary path write in uploader (GHSL-2024-182)
    • Thanks Peter Stöckli for reporting and providing clear reproduction steps
  • Add Rails 7.2 to stable testing on CI, point rails_edge to main branch
  • Security fix: Mitigate arbitrary path traversal in download_private_file (GHSL-2024-183)
    • Thanks Peter Stöckli for reporting and providing clear reproduction steps
  • Security fix: Mitigate stored XSS through user file upload (GHSL-2024-184)
    • Thanks Peter Stöckli for reporting and providing clear reproduction steps
  • Security fix: Mitigate remote code execution through code injection (GHSL-2024-185)
    • Thanks Peter Stöckli for reporting and providing clear reproduction steps
  • Security fix: Mitigate arbitrary file delete vulnerability (GHSL-2024-186)
    • Thanks Peter Stöckli for reporting and providing clear reproduction steps
  • Use actions/checkout@v4 on CI to remove warning about deprecated Node JS version

Full Changelog: 2.8.0...2.8.1