Dear OroCRM Community,
Recently, our partner AOE identified a potential vulnerability in OroCRM and OroPlatform. As part of our commitment to security, we are proactively addressing this issue today with a new release. There are no confirmed reports of attacks related to this issue to-date, but it is important that you immediately upgrade or apply a patch in order to mitigate any potential risk.
This issue might enable attackers using the Open Redirect method to redirect users to external website. OroCRM Enterprise Edition customers should download and upgrade to OroCRM Enterprise Edition version 1.9.3. (If you are using previous versions and are in need of a specific patch, please contact our support team). Our B2B SaaS Enterprise customers do not need to take any action, as our engineering team addressed the issue on their behalf.
We also highly recommend that all Community Edition users upgrade to the most recent OroPlatform and OroCRM version CE 1.7.4.
Download instructions can be found here.
If you have an issue with the OroPlatform, please report it to our OroPlatform GitHub page. And if you run into an issue with OroCRM, please report it to our OroCRM GitHub page.
As always, we look forward to hearing your feedback and comments in our forums.
Thank you!