Just a few days after Serendipity Camp and our last patch release we have to release Serendipity 2.3.4, fixing a security flaw (present on Windows installations only and exploitable only for users with upload rights on the Media library).
Unfortunately, it was possible to upload a malicious file "
file" (e.g. a PHP script or other executable content) without a file extension and then rename it afterwards to "
file.php" on Windows. Thanks to Junyu Zhang for spotting and reporting this!
As we had to do a patch release anyway, we added some other fixes around Media Library file renaming and improved the display of installable plugins by adding the plugin source (Spartacus, bundled with Serendipity core or local).
Please see the release statement on GitHub for more (technical) details.
You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (
Please do install the update on Windows systems running Serendipity due to the security fix.