At AcyMailing, our top priority is ensuring the security and reliability of our email marketing and newsletter extension. We understand the critical importance of maintaining a safe environment for your online communications and campaigns. In our continuous efforts to provide the best possible experience for our users, we recently conducted a comprehensive front-end verification to address potential vulnerabilities and strengthen our platform's security, with the help of David Jardin, head of the Joomla security team.
During our extensive assessment, we meticulously examined every aspect of AcyMailing's front-end features. This rigorous evaluation led us to identify and address four vulnerabilities that could potentially impact our users. We are committed to transparency and want to provide you with a clear understanding of these vulnerabilities, their nature, and the steps we've taken to rectify them.
- Cross-Site Scripting (XSS) Vulnerability: We identified and mitigated an XSS vulnerability that could potentially allow unauthorized access to campaigns. Our team has implemented robust security measures to prevent such exploits and ensure that your data remains safeguarded.
- Unauthorized List Creation: We discovered a vulnerability that could allow unauthorized users to create new mailing lists. This issue has been promptly addressed to prevent any unauthorized access or modifications to your email lists.
- Attachment Removal from Campaigns: Our assessment unveiled a vulnerability that could allow for the unauthorized removal of attachments from campaigns. We have taken decisive action to eliminate this vulnerability and ensure the integrity of your email campaigns.
- Subscriber List Enumeration: We identified a vulnerability that could enable unauthorized parties to get the number of subscribers in a specific list. We have enhanced our security measures to prevent any unauthorized access to your subscriber information.
Are you impacted?
It is important to note that these vulnerabilities are applicable only to AcyMailing Enterprise edition and specifically when the site owner has created a front-end campaigns management menu in a Joomla website. These vulnerabilities impact the versions 6.7.0 to 8.6.3 and have been patched in the version 8.7.0.
We recognize that some of our users utilize these advanced features, and we have focused our efforts on securing this specific scenario to guarantee the safety of your data.
How to update?
To update to the latest version of AcyMailing and benefit from this security patch, you can use the extensions update page on Joomla websites or the plugins update page on WordPress. You can also manually download the latest version from your account page (click the "Download" button once logged in on our website to be taken to your download area) then install this new version like any new extension: it will update AcyMailing if it is already installed on your website.
Our Commitment to Security:
We want to assure all our users that your security and the reliability of AcyMailing are of utmost importance to us. Our recent front-end verification and the subsequent enhancements made to address vulnerabilities demonstrate our unwavering commitment to delivering a secure and trustworthy platform for your email marketing needs. As always, we encourage you to keep your AcyMailing installation up to date to benefit from the latest security improvements and features.