A vulnerability allowing the possibility of remote code execution has been discovered in Dragonfly, Refinery's image and file processor.
You can read about the details here: https://groups.google.com/forum/?fromgroups=#!topic/dragonfly-users/3c3WIU3VQTo
We strongly urge all Refinery users to update their sites as soon as possible. Steps to mitigate the problem are as follows:
- Run `bundle update dragonfly`.
- Ensure that your application is now running Dragonfly v. 0.9.14, and that everything functions correctly.
This should work correctly across all Refinery versions.
Many thanks to Charlie Somerville for reporting the vulnerability, and many thanks to Mark Evans, author of Dragonfly, who worked tirelessly to correct the issue.
Refinery CMS Core Team