A security vulnerability that affects Carousel 7 and Carousel Cloud was recently reported.
In this article, we will review its impacts, and announce a schedule for patch releases that provide a resolution.
Please note that there is no mitigation possible, the only resolution is to update your Carousel system to the latest maintenance release.
Affected Versions
- Carousel 7.0.0 - 7.0.11
- Carousel 7.1.0 - 7.1.2
- Carousel 7.2.0 - 7.2.3
- Carousel 7.3.0 - 7.3.7
- Carousel 7.4.0 - 7.4.7
- Carousel 7.5.0 - 7.5.2
- Carousel Cloud 19.5.30.7
Impact
The vulnerability identified has two potential areas for abuse. First, a specially crafted URL could be used in a phishing attack to hijack the trust the user and the browser have with the website and could serve malicious content from a third-party attacker-controlled system.
Second, is the potential for an attacker to circumvent firewall controls, by proxying traffic, unauthenticated, into the internal network from the internet.
Patch Schedule
The following versions of Carousel contain a resolution to the security vulnerability listed above.
- Carousel 7.1.3
- Carousel 7.2.4
- Carousel 7.3.8
- Carousel 7.4.8
- Carousel 7.5.3
- Carousel Cloud 19.7.16.9
These releases are available to all users starting today.