Why 5.3 requirement?

  • Resolved vikaspandeyd

    (@vikaspandeyd)


    4 years, 10 months ago

    Hello TobiasBg,
    why it needs WP 5.3 why you don’t have any this updated for earlier versions
    what it is related to CSV injection in version 1.9.2
    does it fixed in version 1.10
    And one more thing 1.10 requires WP 5.3 for some reason we are unable to switch 5.3
    is there any bug fix for 1.9.2
    Appreciate your response
    Thanks

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author TobiasBg

    (@tobiasbg)

    Hi,

    thanks for your post, and sorry for the trouble.

    I’m afraid that the recently report about a CSV injection vulnerability in TablePress is inaccurate.

    First, about the main issue:
    I acknowledge, that CSV injection can be a security threat, but at the same time, I firmly believe that TablePress is not responsible here. TablePress creates CSV files according to the common definition. Malicious CSV files however could be created with any text editor, like Notepad! Thus, Excel should be checking for malicious code more thoroughly when it opens a CSV file.

    Therefore, as there’s nothing really to fix in TablePress, nothing in regard to CSV export has changed between TablePress 1.9.2 and 1.10. It’s a false claim that TablePress 1.10 “fixes” this issue. Thus, users with WordPress 5.3.x can (and should) use TablePress 1.10. Users on WordPress versions older than 5.3 can continue to use TablePress 1.9.2 (in terms of security).

    Regards,
    Tobias

    Thread Starter vikaspandeyd

    (@vikaspandeyd)

    Hi Tobiasbg
    Thanks for letting us know
    But we still not understand about this vulnerability.it is posted on wpvulndb
    Can you please touch with them.1.10 fixes is false claim.does it harm anything
    Appreciate you lr response
    Thanks
    Vikas

    • This reply was modified 4 years, 10 months ago by vikaspandeyd.
    Thread Starter vikaspandeyd

    (@vikaspandeyd)

    Hi,
    Thanks for letting us know
    We still not understand about this vulnerability.it is posted on wpvulndb
    Does it causes any injection problems
    Can you please touch with them
    Appreciate your response.

    Plugin Author TobiasBg

    (@tobiasbg)

    Hi,

    no, this does not cause any problems, especially not injection problems. The low risk is if someone exports a CSV file from your table. But they could use every text editor instead. So, you really have nothing to worry about here.

    Regards,
    Tobias

    Plugin Author TobiasBg

    (@tobiasbg)

    Hi,

    the reporter of the issue confirmed that this is a very low risk problem. Users don’t have to worry here.

    Best wishes,
    Tobias

    Thread Starter vikaspandeyd

    (@vikaspandeyd)

    Hi,
    Tobiasbg,
    Thanks for letting us know
    It seems nice if there is low risk problem.

    Thread Starter vikaspandeyd

    (@vikaspandeyd)

    And why it’s mentioned that is fixed in version 1.10 still the issue is present in 1.10?
    The issue is related to tablepress or any editor?
    Appreciate your response
    Thanks

    Plugin Author TobiasBg

    (@tobiasbg)

    Hi,

    this was due to a communication problem of the problem reporter.

    This is an issue in Excel, in my opinion, not in TablePress or any editor.

    Regards,
    Tobias

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Why 5.3 requirement?’ is closed to new replies.