The short version
Our team learned of and quickly patched a previously unknown security vulnerability in our Filter Bar product earlier this week. We take full responsibility for the situation, and we’re sorry it happened.
Customers with active Filter Bar subscriptions should update to the latest version (126.96.36.199) ASAP; customers with expired subscriptions should go to their My Account login page and get a patched version.
The longer, more detailed version
Our team works hard every day to ensure The Events Calendar family of products are worthy of the people who use and depend on them… so much so that we investigate every single report of a potential vulnerability that comes through our doors. We take our customers’ security very seriously (perhaps no one more so than our Director of Products, Zach).
As part of that ongoing diligence, our Products team recently became aware of a security issue with Filter Bar—a blind SQL injection that could lead to vulnerabilities such as corruption or deletion of data. No matter how unlikely it might be that these potential vulnerabilities would lead to an actual security breach for one of our customers, the issue is still a big deal in our book.
Quick, corrective action in a scenario such as this is super important, and we’re incredibly thankful to the customer who flagged the vulnerability for us in a responsible way. Our team was able to validate the issue, patch the vulnerability for both active and inactive subscriptions, and systematically comb the code for any similar issues. (Thankfully, none were found!)
Here’s the timeline of how the report and response went down, in case you’re curious:
- 4/08/19: Received detailed report from customer, patch created, and extensive testing begins
- 4/10/19: Updated versions released, customers notified
These kinds of events can shake confidence loose. We get that, and we take that really seriously. Our goal, as always, is to provide you with stellar, best-in-class events management tools. So how can you be sure this won’t happen again?
The truth is, we can’t tell you that it won’t. Our teams are human, and while they’re incredibly accountable, bright, and wonderful humans, humans make mistakes. We can tell you, however, that in ten years of building and maintaining a robust products suite, it’s safe to say that this situation is an incredibly rare one.
Every opportunity, good and bad, can allow for growth if you let it, and our team has already learned a lot from this experience. We’ll continue to grow both in our craft and in our commitment to providing you with genuinely useful events management products.
- Security – Ensure filter values are properly escaped before use in queries