MustLive discovered a HTML-injection vulnerability in the tagcloud.swf Flashfile that the Freetag-Plugin bundles and makes optionally available.
The issue is fixed in version 1.23 of the flashfile, which has now been committed to the Serendipity plugin (in version 3.30).
Since the swf-File is always bundled with the update, it is recommended to update to the latest version of the plugin for all users, or to delete that specific .swf file.
Thanks to MustLive for sharing the information with us.
- Keine Trackbacks