Two security vulnerabilities were just discovered and a new release has been published to address them. The ImpressCMS Project has just released ImpressCMS 1.2.4 as a stable release - site administrators are strongly encouraged to upgrade their sites.
The imagemanager plugin used by the TinyMCE wysiwyg editor was bypassing the permissions system, allowing unauthorized creation of categories and folders within the image folder. The second vulnerability was a potential cross-site scripting, but required elevated permissions and access to the administration area of ImpressCMS.
Downloads are immediately available in our file repository on SourceForge and include a complete install, an upgrade from older versions and an upgrade from the most recent version, ImpressCMS 1.2.3. Site administrators are strongly encouraged to upgrade their sites as soon as possible.
If you discover a questionable behavior in ImpressCMS or a potential security weakness, please contact us and allow us to address it immediately, which we will. To notfiy our security team, send a detailed email to security@impresscms.org and we will respond to your report and provide a verification and fix, if warranted.
To download the latest files, visit https://sourceforge.net/projects/impresscms/files/