Searching the JED and to my surprise I came across this:
extensions.joomla.org/extensions/authoring-a-content/content-construction/8061#rev-118224

Message also states "You should also immediately get in contact with the developer of this extension and inquire about fixes to this security risk."

How serious is this?

Is there a fix?

Thanks

Hi Tracey,
yeah saw this one on the VEL rss feed earlier this morning.

But it doesn't say what the deal is - just that K2 is vulnerable.

• Does it mean that specifically v2.6.8 is vulnerable? (and that all previous versions are not?)
• Or could this vulnerability apply to any version?

I'd imagine it'd just mean v2.6.8, but there isn't much info that I could find on what the vulnerability even is. Am definitely not going to update to 2.6.8 until we find out either way (and how serious it is).

Cheers,

K2 Content Extension, 2.6.8,
Published on Tuesday, 10 June 2014 22:03

K2 Content Extension, 2.6.8, XSS (Cross Site Scripting)

link

Hi Daniel,

Yeah unfortunately like you said theres not much if any info on this and it's got me a bit
freaked out.

Hopefully the k2 team will get right on this and have a fix. I'm running v2.6.8 and also as you said it's probably just for that version since that was the version that was offered for download.

Lets keep our fingers crossed for a fix!

Regards,

I would like to inform anyone worrying about this that everything is fine. Your sites are NOT under a security risk. No exploit can be applied to what they have found, so actually this is not even an XSS vulnerability. Of course K2 will be updated and will be back to the JED.

Good to know its nothing serious.

Thanks for the link explaining what the problem is.

Regards,
Tracey

Thanks guys for the clarification!
Great to hear it's nothing serious