During internal audit activities we found security issue that make Vivvo potentially vulnerable to attackers who wish to gain access to the application sensitive data. We have released the security update which includes the following improvements.

4.5.x branch and 4.6 branch:
- Protection from File disclosure attacks has been improved.


SEVERITY
Moderately critical

IMPACT
- Malicious users may disclose the contents of CONFIG file via code we introduced to merge, compress and cache CSS and JS files which was accepting arbitrary paths from GET.

WHERE
From remote.

AFFECTED VERSIONS
All Vivvo versions from 4.5 to 4.6

SOLUTION
We strongly recommend Vivvo users to install the security fix available in the HelpDesk 'File Area'. Alternatively, for users without valid license subscription, you can download the fix attached to this post.

Installation instructions can be found in the README file.


If you face any problems during or after the installation, feel free to contact our support team for help.

Best regards,
Vivvo Support team

Was this tested on 4.1.6?

I applied the patch and my main site isn't working. I tried putting the old file back, but that still doesnt work. I opened a ticket :confused:

TZT-39972-416

Was this tested on 4.1.6?

Please refer to affected versions in boccio's post:
AFFECTED VERSIONS
All Vivvo versions from 4.5 to 4.6

This patch isn't intended for Vivvo 4.1.6 and may cause some issues if applied to it.

I need to update from 4.5 to 4.6( and patch) What is the procedure?

There is readme file included in 4.6 patch, basically you just need to overwrite the files and that's it.