Elgg 1.8.17 and 1.7.20 have been released to address a few critical security issues. Be sure to upgrade immediately to protect your sites.
- A specially-crafted request can return the contents of sensitive files.
- A reflected XSS attack is possible against 1.8 systems.
- The cryptographic key used for various purposes may have been generated with weak entropy, particularly on Windows.
Thanks to Mike Kasper and an anonymous contributor for reporting these vulnerabilities to us privately via firstname.lastname@example.org.
1.8.17 also includes tons of other fixes: