Georg-Christian Pranschke from http://www.sensepost.com/ discovered a vulnerability in Elgg that could potentially allow SQL injection attacks using crafted URLs or POSTs. Versions 1.7.3 and 1.6.3 correct this and are highly recommended for all Elgg users.
1.7.3 also includes additional bugfixes for problems found in 1.7.2:
- Entering an invalid captcha now forwards to the referring page instead of the front page.
- “Edit details” and “Edit profile icon” only show up on user's own profile.
- get_objects_in_group() works correctly.
- Legacy wrapper functions correctly support multiple owner guids.
To maintain the security of your network and its users, all Elgg installations should be upgraded immediately.
You can download the latest releases from their website: Elgg CMS
