On November 30th 2018 we were alerted to a potential vulnerability in our Discussion Forums add-on for legacy concrete5 version 6 and below. Through use of some tool scripts in the package it is possible to expose user attribute data publicly that would normally be protected by concrete5.
On December 7th, 2018 we released a new version of this add-on that removes those offending tool scripts and eliminates this vulnerability.
This add-on has been free and open source for approximately a year, and only works with legacy concrete5 which has had an official end of life announcement. We strongly encourage anyone running discussion forums on a live site to:
Just want the security path? Download it here.
Discussion forums for concrete5 let you engage your site members in conversations anywhere you want in your site. Add individual discussion areas throughout your content where it makes sense, and then aggregate them in a centralized forum area as well. Check out the current feature list, watch a screencast, or just play with with the demo (user: demo, pass: 12345).
(Note: non-English languages require concrete 5.4 or greater.)