Elgg 1.7.5 and 1.6.4 released with security enhancements

Elgg 1.7.5 and 1.6.4 have been released and address two cross site scripting (XSS) vulnerabilities.  Network admins are encouraged to upgrade immediately to keep their networks and users safe.

The first vulnerability was reported by Akhilesh Gupta and can allow users to enter malicious code through the Bookmarks plugin.  The second vulnerability involves the widget subsystem and can allow users to bypass input filtering.  Elgg 1.7.5 and 1.6.4 are the latest versions of Elgg and fix all known security vulnerabilities.

1.7.5 can be downloaded from the Current Release Page and 1.6.4 can be downloaded from the Previous Releases page.

Elgg 1.7.5 contains more than just security enhancements--there are a number of improvements and bugfixes!

Bugfixes include:

• Checking for mismatched passwords before creating user when manually adding users. 
• Fixed menu entry for user's Files link.
• Fixed XFN links on profile page and user lists.
• Fixed PHP warnings about invalid foreaches in plugins.php
• Group profile actions correctly encodes HTML entities.
• Language string corrections. 

Changes to the user interface include:

• Users must verify their current password before they can changing passwords.
• Changed many plugins to use friendlier URLs.
• Added a page to view Wire posts by user.

I encourage everyone still on 1.6 to upgrade to the 1.7 as soon as possible to enjoy all the benefits of the hard work that have gone into 1.7 over the last year.

Thanks to all the users and devs who have opened tickets on Trac, submitted patches, or emailed us with bug reports.  Everyone who reports bugs, offers fixes, and suggests improvements helps to make Elgg even better!