This forum has moved, please join us on github discussions. We will keep these old posts available for reference. Thank you!

Apostrophe 2.102.3: important security fix for the qs module


It appears this risk only occurs when our build Nunjucks filter is used in conjunction with a URL based on what the browser sent, rather than starting with the _url property of the page and adding parameters to that with build, thus it is not an issue “out of the box” in all or most ApostropheCMS sites. However the vulnerability should be patched promptly because it could definitely exist in current or future project level code that uses build. To eliminate the risk, update to this version of Apostrophe and make sure you “npm update” to get the required updated version of qs via Apostrophe’s dependencies.

  • This version also corrects a bug that prevented the recently released disableInactiveAccounts feature from working.