Blog posts by Jens N2012-01-10T12:24:00.0000000Zhttps://world.optimizely.com/blogs/Jens-N/ Optimizely World Security vulnerability - Elevation of privilege<p>A security vulnerability has been detected which allows elevation of privilege for a user that has access to Edit mode in EPiServer CMS 5 and CMS 6. In practice this means that someone with editorial privileges could take ownership of the “WebAdmins” account.</p> <p>Websites based on EPiServer CMS 5 and 6 using Forms Authentication with a Membership provider that supports updating are affected by this security vulnerability. Websites using Windows Authentication or Forms Authentication with Windows Membership provider are not affected.</p> <p>We recommend our partners to contact <a href="http://world.episerver.com/Support/Register-Support-Incident/">EPiServer Developer Support</a> to obtain a hotfix for the CMS specific security concerns.</p> <p>The above shares some characteristics with the vulnerability previously reported by Microsoft, <strong>but should not be mistaken as the same</strong>. For more information see <a href="http://technet.microsoft.com/en-us/security/bulletin/ms11-100.mspx">Microsoft Security Bulletin MS11-100</a></p>2012-01-10T12:24:00.0000000ZBlog post Important information to those running EPiServer CMS 4<p>It has come to our attention that the e-mail functionality delivered with the sample package for CMS 4 is in fact used in some public web applications. If this sample functionality is used without intended modification, it is possible for spambots to actively utilize the functionality and send unsolicited messages or bulk e-mail spam through the SMTP service. <br /> <br />We strongly advise all concerned parties to undertake necessary actions&#160; to ensure that the situation is remedied.&#160; We recommend that the e-mail template file and all subsequent references are removed from the web application. If the e-mail sample functionality is to be used we strongly recommend that proper relay restrictions are setup and that appropriate logic to prevent spambots from exploiting this functionality is implemented. <br /></p> <p>If you have any questions or concerns, you are welcome to contact <a href="http://world.episerver.com/Support/Register-Support-Incident/">EPiServer Developer Support</a>. </p>2010-12-02T10:34:41.0000000ZBlog post