3rd Party Security Advisories August 2024
Hello Znuny Community,
Due to the many requests that have reached us, here is a short information about the advisories published by another manufacturer.
To log passwords in plain text as described in the advisory, you must modify specific server files. That's why we do not classify this as a security problem. As soon as someone can change the files on the server, it is also possible to add custom password logging.
As log entries for passwords are unnecessary and not desired, we will remove this function. Emin Yazi (efflux) has already provided a Pull Request for this purpose.
Regarding the CKEditor:
An updated version that contains the patch has been in testing for several weeks and will be released with Znuny LTS 6.5.11 and Znuny 7.1.3. The CKEditor 5 will be part of Znuny 7.2.
Our releases in April 2024 already fixed the vulnerabilities related to file uploads, which we consider much more intensive. The associated advisories are published on www.znuny.org/advisories; support customers have also been and will be actively informed by us via email.