Do not use e107 version 1 anymore

e107 is content management system used to run and maintain websites, which is is currently developed in Sourceforge environment. Versions 1.x.x of e107 should not be used anymore since they are not patching security vulnerabilities. Developers of e107 even ignore all emails asking about vulnerabilities. They have not been using their release notification mailing list in years, which makes it even harder for e107 users to keep up with security fixes.

The newest unfixed security vulnerability is a good example how not to handle security issues. Their Github page says: “Legacy Version of e107 Content Management System. Issues relating to v1.x of e107 may be submitted on Github here: https://github.com/e107inc/e107v1/issues“. Bug report about CVE-2015-1041 was submitted as issue 2, but it did not get any replies in months and is still not fixed. You can read more about CVE-2015-1041 vulnerability in Steffen’s advisory page.

If you still run web sites using e107 version one please upgrade to version two or migrate to different CMS software.