[SECURITY] Vulnerability in Dragonfly 0.9.12 (Affected Refinery Versions: > 0.9.7)

54 seconds read.

A vulnerability allowing the possibility of remote code execution has been discovered in Dragonfly, Refinery's image and file processor.

You can read about the details here:!topic/dragonfly-users/3c3WIU3VQTo

We strongly urge all Refinery users to update their sites as soon as possible. Steps to mitigate the problem are as follows:

  1. Run `bundle update dragonfly`.
  2. Ensure that your application is now running Dragonfly v. 0.9.14, and that everything functions correctly.

This should work correctly across all Refinery versions.

Many thanks to Charlie Somerville for reporting the vulnerability, and many thanks to Mark Evans, author of Dragonfly, who worked tirelessly to correct the issue.


Rob Yurkowski
Refinery CMS Core Team