Slashcode Log In
Slash 2.2.6 Released
Please be aware that this is not related to the XSS vulnerability in CVS which was fixed earlier this week. This is a separate vulnerability, similar consequences, equally serious.
The vulnerable Slash versions are these: 2.2.0 through 2.2.5, and pre-release Slash in CVS up through July 1. Other versions are not vulnerable.
Upgrading from earlier 2.2.x versions involves slight additional effort. From 2.2.4, update the template messages;users;default. From 2.2.2, there are also some extremely minor SQL changes. From 2.2.1 you must update the template header;misc;default; and from 2.2.0, also update the template displayForm;submit;default.
If you are running Slash from CVS, hopefully you saw yesterday's notice to upgrade for the other (again, unrelated) XSS vulnerability, and upgraded your site to current CVS, and therefore are not affected by this.
We do not believe that attackers "in the wild" have exploited this, but please update quickly anyway.