We have recently learned that there is a vulnerability  in the code which allows visitors to upload their own module in your back office. This can happen if you have opened up your back office in DEMO mode. As soon as we learned about it and found the fix, we have made a patch version which doesn’t require you to update your whole store, but allows to just patch version 1.0.0 instead. The next version 1.0.1 will already contain the fix.

Information

What is affected?

  • Module and theme developers often provide a back office demo. If you provide a thirty bees back office demo, your back office is affected, too, and you should apply this fix.

How severe is it?

  • Very severe. Having your back office open to intruders who can execute their own code is the worst case scenario. We recommend to apply the fix immediately, even if you are not a module/theme developer with a back office demo.

How do I fix this?

  • Upload the patch (beneath) and install it like a regular module
  • Click the “Patch files” button

The patch

tbpatchuno.zip

UPDATE: jnsgioia reported a problem with the patch on the forum. Thank you! This has now been addressed with a newer patch. If you have patched thirty bees before, we recommend to patch again with the file above.