An important security release was just published for ImpressCMS (http://www.impresscms.org), addressing a permissions weakness in a plugin and a cross-site scripting vulnerability.
The plugin vulnerability exposed a method for creating categories and folders for the imagemanager and bypassed the normal permissions checking. This was discovered by a member of the German community and the patch was being developed when another vulnerability was also reported by a 3rd party.
The second vulnerability required elevated permissions and access to the administrative area of ImpressCMS. Nonetheless, we felt it important to patch this vulnerability.
Downloads are immediately available in our file repository on SourceForge and include a complete install, an upgrade from older versions and an upgrade from the most recent version, ImpressCMS 1.2.3. Site administrators are strongly encouraged to upgrade their sites as soon as possible.
If you discover a questionable behavior in ImpressCMS or a potential security weakness, please contact us and allow us to address it immediately, which we will. To notfiy our security team, send a detailed email to firstname.lastname@example.org and we will respond to your report and provide a verification and fix, if warranted.
To download the latest files, visit https://sourceforge.net/projects/impresscms/files/