A new security release of ExpressionEngine CMS is available. Version 1.7.1 is now available for download and addresses a critical bug where each member’s settings for ‘Enable Avatar’ and ‘Enable Signatures’ were reset to ‘No’ when preferences were updated in the control panel’s General Configuration page. The release also addresses a security issue where an SQL injection was at least theoretically possible. There are no known cases of a successful exploit and such an attack could only be executed by someone with control panel access and access to the admin area with “Can administrate general preferences”.
You can learn more about this release on the ExpressionEngine blog.