A security vulnerability that affects Carousel 7 and Carousel Cloud was recently reported.
In this article, we will review its impacts, and announce a schedule for patch releases that provide a resolution.
Please note that there is no mitigation possible, the only resolution is to update your Carousel system to the latest maintenance release.
- Carousel 7.0.0 - 7.0.11
- Carousel 7.1.0 - 7.1.2
- Carousel 7.2.0 - 7.2.3
- Carousel 7.3.0 - 7.3.7
- Carousel 7.4.0 - 7.4.7
- Carousel 7.5.0 - 7.5.2
- Carousel Cloud 18.104.22.168
The vulnerability identified has two potential areas for abuse. First, a specially crafted URL could be used in a phishing attack to hijack the trust the user and the browser have with the website and could serve malicious content from a third-party attacker-controlled system.
Second, is the potential for an attacker to circumvent firewall controls, by proxying traffic, unauthenticated, into the internal network from the internet.
The following versions of Carousel contain a resolution to the security vulnerability listed above.
- Carousel 7.1.3
- Carousel 7.2.4
- Carousel 7.3.8
- Carousel 7.4.8
- Carousel 7.5.3
- Carousel Cloud 22.214.171.124
These releases are available to all users starting today.