Omeka 2.2.1 security update released

Today, we are releasing Omeka 2.2.1, a security update for Omeka 2.2. All users should upgrade.

This release closes vulnerabilities to cross-site scripting (XSS) and cross-site request forgery (CSRF) on the admin user forms.

An unrelated fix to the API removes dead links to private collections for non-authenticated users.

Thanks to Gjoko Krstic at the Zero Science Lab for finding and reporting the XSS and CSRF vulnerabilities.

Please see the release notes for more detail.

One Response to “Omeka 2.2.1 security update released”

  1. Adrien de Beaupre

    I have written a diary at the SANS Internet Storm Center using the Omeka vulnerabilities as an example. https://isc.sans.edu/forums/diary/Complete+application+ownage+via+Multi-POST+XSRF/18507

Leave a Reply