For the XSS threat patched by 1.5.4, for the threat to be exploited, does the attack have to be made by using an active login. In other words, without being logged in, can the XSS threat patched by 1.5.4 be exploited?
Steve, Have you ever had reasons to do things that seemed odd to others? Did you like it when they insinuated you were ignorant or unwise? Do you like for people to show they assume you are competent and have considered what you were doing? Have you ever had someone show an interest in learning from your unusual actions as opposed to looking for their best angle to correct what they assume is an error? Can you imagine any reason why an enterprise might be served best by not applying a particular upgrade to software?Not sure why you wouldn't want to upgrade, or the situation but the upgrade is a simple task. You may also apply the patch which is one file change.
I will check out the one-file option.A patch has been provided for the issue if you can't upgrade. It's a matter of replacing 1 file and, unless you've manually edited that file, I don't see what customizations that would break.
Mike, that is very well-stated, thank you.We would never recommend taking any action to attempt to resolve a security issue other than what we've presented as options in the announcement. In this case, I am not going to suggest that disabling profile posts will resolve the issue.
Those are listed as possible effects of exploiting the issue. They are somewhat unrelated to the actual vector which is used for it. There is nothing changed in relation to the login process.I made a bad decision to not have taken a closer look at the one-file option. The announcement for 1.5.4 mentioned stealing cookies and other elements of the login process. When I saw that, I figured 1.5.4 was going to shut the door on the login through the SDK, but that could be false and finding out would be a quick.
We won't release specifics. You can read a bit about the class of vulnerability though:Is a demo of the exploit available? Any other way to get more details about exactly what the vulnerability is?
Thank you for answering, I should have known better than to ask for those specifics, so I am sorry for asking. I used to rationalize, "there is no good reason to keep that information locked away from customers." Later, when I was responsible for a security problem software I had provided,I saw the matter in a different light. So thank you for providing the information you did, I appreciate immensely.We won't release specifics.