Dear OroCRM Community,
Recently, our partner AOE identified a potential vulnerability in OroCRM and OroPlatform. As part of our commitment to security, we are proactively addressing this issue today with a new release. There are no confirmed reports of attacks related to this issue to-date, but it is important that you immediately upgrade or apply a patch in order to mitigate any potential risk.
This issue might enable attackers using the Open Redirect method to redirect users to external website. OroCRM Enterprise Edition customers should download and upgrade to OroCRM Enterprise Edition version 1.9.3. (If you are using previous versions and are in need of a specific patch, please contact our support team). Our B2B SaaS Enterprise customers do not need to take any action, as our engineering team addressed the issue on their behalf.
We also highly recommend that all Community Edition users upgrade to the most recent OroPlatform and OroCRM version CE 1.7.4.
Download instructions can be found here.
As always, we look forward to hearing your feedback and comments in our forums.