SS-2014-010: Injection / Filesystem vulnerability in generatesecuretoken
- Low (?)
- Versions Affected:
- 3.0.10, 3.1.4, master
- Versions Fixed:
- 3.0.11, 3.1.5, master
- Release Date:
This issue has been resolved by removing the unnecessary 'path' querystring parameter, and ensuring the output of this page was correctly given the 'text/plain' Content-Type header.
This attack may only be performed by a privileged user (administrator), meaning it had a very low risk of being exploited.