CRITICAL SECURITY RELEASE
Today we announce the release of CMS Made Simple version 2.2.1 "Hearts Desire". Not only does this release fix a few important issues detected with the 2.2 release, but it addresses a CRITICAL security issue that was detected for all 2.x releases. We request that you upgrade your CMSMS installations as soon as possible.
1. Fixed an issue where a compiled string template could be provided to many modules that directly execute PHP code without going through the Smarty security policy.
2. debug_to_log() is no longer a permitted php function to call within templates.
3. Fixed an issue where MicroTiny failed to initialize.
4. Fixed an issue in the database abstraction library when using nested transactions
5. Fixed an issue with the smarty plugin loading mechanism for plugins that use the smarty_cms_function_foo naming standard.
6. After an upgrade, ensure that the config.php has read-only permissions
7. On upgrade, move all remaining plugins (should only be third party plugins) from /plugins to /assets/plugins
Again, we consider the security vulnerabilities to be CRITICAL and request that you upgrade your sites as soon as possible.
Many thanks to Daniel Le Gall from SCRT SA, Switzerland for reporting this vulnerability. His skills and professionalism certainly assisted in our understanding, reproducing and resolving the vulnerability quickly and easily.
We apologize for the inconvenience and thank you for your cooperation.