This upgrade is a hotfix, only updating Framework up to the version 3.7.5, which includes some minor bugfixes and two security patches (listed below).
Upgrading to Recipe 1.9.4 is recommended for all CWP sites. This upgrade can be carried out by any development team familiar with Silverstripe CMS. However, if you would like Silverstripe's assistance, you can request support via the Service Desk.
This release includes the following security fixes:
- CVE-2019-5715 Reflected SQL Injection through Form and DataObject
- CVE-2019-12203 Session fixation in "change password" form
- CVE-2020-9311 Malicious user profile information can cause login form XSS
- CVE-2019-19326 Web Cache Poisoning
- 2020-04-28 98926e4e6 Stop honouring X-HTTP-Method-Override header, X-Original-Url header and _method POST variable. Add SS_HTTPRequest::setHttpMethod(). (Maxime Rainville) - See cve-2019-19326
- 2020-04-23 d3b23e702 Escape First Name when displaying re-login screen (Maxime Rainville) - See cve-2020-9311
- 2019-09-16 a86093fee Session fixation in "change password" form (Serge Latyntcev) - See cve-2019-12203
- 2019-01-10 c44f06cdf Patch SQL Injection vulnerability when arrays are assigned to DataObject Fields (Aaron Carlino) - See ss-2018-021