What Happened?
All older versions of BreezingForms for Joomla! including 1.7.5 (build 762) and their corresponding free versions are affected by a major security flaw. The latest version 1.8.4 and later and its corresponding Lite version are not affected.
Within an hour after it came to our attention that old versions are affected, we provided a patch such that - especially Joomla! 1.5 - users don't have to walk through the entire upgrade path in order to close the vulnerability. Though it is recommended to update all versions prior to BreezingForms 1.8.4.
From our analysis, the exploit is still in a proof-of-concept phase but might make it into automated attacks at any time.
Due to security concerns and to protect our user base, we won't disclose any further information on how to exploit the vulnerability.
What can I do?
It is very recommended to perform an immediate update. The flaw is serious.
If you have BreezingForms 1.7.5 build 762 or older installed
Please download the special upgrade package located <<here>>, unzip the file and follow the contained readme in order to upgrade. It will upgrade all versions from 1.7.1 to 1.7.5 build 762 and also fix build 762. If you are already using build 762, it won't show any difference in the version numbering. So make sure you upload the files correctly.
This upgrade will also fix the free versions.
This upgrade already contains the security fixes, so you can either stay with that version or keep proceeding to upgrade to 1.8.4 or its corresponding Lite.
If you have BreezingForms 1.8.0 - 1.8.3 installed
Customers please download the update from their membership areas.
Customers with inactive subscriptions please write a short email with your username to info@crosstec.org to receive a free 1-month membership for upgrading.
Lite users please download and update from <<here>>.
I am a former customer, do I need to pay for this security fix?
No, the security fixes for 1.7.5 build 762 will turn all versions into the full version. You won't have any disadvantage and additionally, free users get rid of the footer messages. BreezingForms 1.8.x users are covered as stated above.