5.7.x CVE vulnerabilities applies to 5.6 also?

Permalink
Hi,

The below vulnerabilities were identified on concrete5 and was recommended to upgrade to concrete 5.7.4.2 or later.

CVE-2015-3989
CVE-2015-2250
CVE-2014-9526

We are currently on 5.6.3.3 as of now. Does this vulnerabilities apply to also 5.6.3.3? The CVE always refers to affected versions as 5.7.X and earlier.

Thanks in advance,
TGBoy

 
hissy replied on at Permalink Reply
hissy
IMHO, the vulnerabilities on 5.7 are not affected to 5.6.
Both versions are based on different code base.
Mnkras replied on at Permalink Reply
Mnkras
Hey,

The first one only affected private messages, and I believe that was fixed in both 5.6 and 5.7, (you had to have private messages enabled if I remember correctly, which basically nobody does in 5.6 cause it was kinda buggy/incomplete)

For the other two, I think I back ported those as well, even if I didn't, they required administrator access to concrete5 so they have a low impact.

Hope this answers your question.

Mike