Skip to content

Security Release
Compare
Choose a tag to compare
@barryo barryo released this 17 Nov 09:09
· 4389 commits to master since this release
v3.6.19
781f433

IXP Manager v3.6.19 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately.

This release fixes a possible (already authenticated) user privilege escalation via a stored XSS vulnerability and cookie robbery.

All vulnerabilities were found and responsibly reported by Alexandros Zaharis, Security Officer at GRNET to whom we are very grateful.

IXP Manager v3.6.19 also contains other security changes:

  • Reflective XSS vulnerability for non-authenticated users.
  • Disabling a user account did not prevent them from logging in.

In addition to the security fixes, there is also a new feature: addition of the euro-ix BCP data export format for IX members as introduced by Elisa Jasinska and Nick Hilliard at RIPE 69 (presentation and video).

Views changed since v3.6.16:

application/views/customer/overview-tabs/overview.phtml
application/views/header-css.phtml
application/views/header-js.phtml
Assets 2
Loading