This week we received news of a critical vulnerabilities in PHP Melody. Issues include: SQL/code injection, PHPMailer vulnerability (seeĀ CVE-2017-5223) and a couple more.
To date, PHP Melody has been actively used on more than 29,000 separate websites in the past 9 years. Thankfully, we received no reports of sites being hacked via exploitable code in our video CMS. We’ve always patched vulnerabilities swiftly. In the past 9 years there have been only 4-5 occasions that promoted such releases.These recent findings are serious and should be given utmost importance. We urge everyone to upgrade their PHP Melody websites to v2.7.1 today. If for some reason you cannot update to v2.7.1, you can still patch your website(s) by following this guide.
As a precautionary action, we’ve patched all recent releases since November 2015 (i.e. v2.5 and newer). So, if you’re updating from PHP Melody v2.5 to v2.6 your site will already be secure against these vulnerabilities. All things considered, we still recommend updating all the way to v2.7.1.
Today’s release includes:
- Critical vulnerability patched.
- SQL injection patched.
- PHPMailer update.
- Mime type check and proper chmod for uploads to prevent execution.
- Removed instances where the full path is readable.
- Improvements for servers with MySQL running in strict mode.
- Improvements to the Russian translation.
- Updated the Facebook video source.
- Fixed emoji helper window.
- Fixed G+ sharing widget.
- Extended auto-reporting for YouTube videos.
Today’s update is available for download in your customer account, under the ‘Download Updates‘ page.
If you have any questions or need our assistance, contact our support team. As always, we’re here to help you.
Credit for discovering these vulnerabilities go to Mr. Harry Roberts. Thank you.
Have a great weekend and stay safe!
Useful links:
Download v2.7.1 Update Buy PHP Melody v2.7.1 Get the Echo theme