Limited XSS flaw in 2.1 - simple workaround
- You are using the Profile Extender addon AND...
- You have a field precisely named
If you are NOT using Profile Extender or simply do not have any fields with those names, you have no issue and do not need to take any action.
The workaround is to name those fields anything else until 2.1.1 is released. The names must be an exact string match on one of the 3 names above for the exploit to be open. Simply adding an underscore or a number on the end of the field label would mitigate it entirely.
To do this, go to
Profile Fields in your Dashboard and click "Edit" on the field you wish to change the name of. If you do not have a
Profile Fields section in your Dashboard, you are definitely NOT effected by this issue and need take no further action.
Because this flaw has a very small scope with an easy workaround and 2.1.1 is already scheduled for August, we're not expediting the 2.1.1 release further to address it. Please simply make the change above as needed.