While I won't go into too much detail, I will say that one involves being able to upload a malicious file. It requires an odd set of preferences and a missing file to allow it to happen though, so the threat is pretty low in our opinion.
The other was a js code injection. The user was able to inject some js code that would run if an admin edited the users post. This was only open if the site had the 'personal content manager' option enabled in the content plugin.
Both have now been fixed...thanks again to Secunia for pointing them out to us.
Of course, the release also includes all other bug fixes that have been committed since the last release.
Link to downloads here: http://e107.org/edownload.php
The current stable release is 0.7.20. This version is an almost total rewrite of the 0.6x tree and includes hundreds (maybe thousands) of added features and bugfixes.
Anyone currently running 0.7.x needs to use the 0.7.x upgrade file.
e107 0.7.20 Full install (.zip)
e107 0.7.20 Full install (.tar.gz)
e107 0.7.x to 0.7.20 Upgrade (.zip)
e107 0.7.x to 0.7.20 Upgrade (.tar.gz)
e107 0.7.19 to 0.7.20 Upgrade (.zip)
e107 0.7.19 to 0.7.20 Upgrade (.tar.gz)
e107 0.6175 to 0.7.20 Upgrade (.zip)
e107 0.6175 to 0.7.20 Upgrade (.tar.gz)
0.7.0 - 0.7.20 English ISO file
Changes found here in the changelog
chinese Version
全新安裝檔
[UTF-8]e107 0.7.20繁體中文(MySQL 4.1)更新升級檔案
[UTF-8]e107 0.7.x到0.7.20繁體中文升級檔MySQL4.1 [UTF-8]e107 0.7.19到0.7.20繁體中文升級檔MySQL4.1
