For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
The vulnerabilities of the libraries that make part of CMSMS may affect the whole, part or none of the CMSMS core depending on circumstances. We are almost always notified of them as soon as they are discovered, and have to assess whether these vulnerabilities are exploitable in the CMSMS context or not. Every time a library upgrade is due, we need to test it, see if the latest release is mature enough not to introduce new bugs and unknown vulnerabilities, and if the upgrade itself is the best solution possible vs the version currently being used. In some cases the lib is exposed enough to be a liability and open to be exploited and action is taken immediately to fix it, in other cases the lib is wrapped too deep in the CMSMS core own code that the core itself is responsible for the protections and mitigations needed to prevent the vulnerable code from being exploited.
In the case of PHPMailer, the assessment made at the time was that there was no way that the exploit could be used given that the 3rd party modules used are trusted for using the CMSMS core API to access the PHPMailer lib, i.e. Formbuilder, CGBetterForms, SmartForms, FEU, MAMS, and all of the more popular modules that use the email sending functionality. So there was no urgency in upgrading the lib.
We are now in the process of finalizing an upgrade of CMSMS and most, if not all, its libraries are included. This update is long due, and is imminent, for a number of reasons.
That is to say that, if you don't have any custom code that accesses the PHPmailer library directly, there should be no risk involved. And the update is on its way too, so we are going to close that door at the same time.
"There are 10 types of people in this world, those who understand binary... and those who don't." * by the way: English is NOT my native language (sorry for any mistakes...).Code of Condut | CMSMS Docs | Help Support CMSMSMy developer Page on the ForgeGeekMoot 2015 in Ghent, Belgium: I was there! GeekMoot 2016 in Leicester, UK: I was there!
Out of curiosity: When the new version of CMSMS is expected ? I need to start 3 new sites(PHP 8.1) with CMSMS and if possible to go with a newer version
We are doing our best to try to release it in the next few weeks. The issue has been that work has been getting in the way, and delaying the development quite a bit. Not committing to it, but I'm really hoping to release in the next couple of weeks.
"There are 10 types of people in this world, those who understand binary... and those who don't." * by the way: English is NOT my native language (sorry for any mistakes...).Code of Condut | CMSMS Docs | Help Support CMSMSMy developer Page on the ForgeGeekMoot 2015 in Ghent, Belgium: I was there! GeekMoot 2016 in Leicester, UK: I was there!
