Latest News

Version 2.3.8 Released

May 2, 2016 Tags: release, bugs

This version, code-named 'Mayday Mayhem' fixes many issues in the previous version(s) and adds several new features. There is a new Social Feed module which allows aggregating and displaying items from Facebook, Twitter, Instagram, and/or Pinterest.  The changes include: (read more)

Patch #4 Released for V2.3.7

February 16, 2016 Tags: patch, release, bugs

This patch fixes several issues in the v2.3.7 release and v2.3.7 patch #1, patch#2, and patch#3.  It also provides several tweaks and even some new features, though the main focus is providing several regression fixes.  It should be noted that the new optional 'Upgrade permissions' upgrade scripts will attempt to lock down the site by fixing file and folder permissions (except for cgi-bin) which means also turning off the 'execute' permission.   It must be noted that this patch (like the previous patches to v2.3.7) will break any custom text module view templates using in-place editing.  Unlike previous patches, this patch file also includes all the 'installation' files in the event you secured your site by deleting or renaming the /install folder. Patch #4 to v2.3.7 is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.7-patch-4.zip/download (read more)

Exponent CMS Forums Back Up!

January 28, 2016 Tags: forums

(updated Jan 29th) After being out of service for quite some time, we have the Exponent CMS forums back up and running (forums.exponentcms.org) with a few caveats: (read more)

Security Notice: Closing an Exponent Security Vulnerability

January 14, 2016 Tags: security

We've been notified of a security vulnerability which could compromise your Exponent CMS installation.  This vulnerability applies to all versions of Exponent 2.x up to v2.3.7 patch #2.  The immediate fix is to rename the /install folder to something else, or remove/delete it. Though we've been working hard to close Cross-Site Scripting (XSS) vulnerabilities, this one could be more permanent and seems to result from an anomaly within PHP which allows a string variable to be internally interpreted and processed as an array thereby masking the payload. (read more)