This document contains information for an outdated version (3.0) and may not be maintained any more. If some of your projects still use this version, consider upgrading as soon as possible.



  • Security: Require ADMIN for ?flush=1 (stop denial of service attacks) (#1692)
  • API: Disable discontinued Google Spellcheck in TinyMCE. Replaced by browser-based spellchecking if available (Chrome, Firefox)


Security: Require ADMIN for ?flush=1 (SS-2013-001)

See announcement

Security: Privilege escalation through Group hierarchy setting (SS-2013-003)

See announcement

Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)

See announcement

Security: Privilege escalation through APPLY_ROLES assignment (SS-2013-005)

See announcement

Security: Information disclosure in Versioned.php (SS-2013-006)

See announcement


  • If you have created your own composite database fields, then you should amend the setValue() to allow the passing of an object (usually DataObject) as well as an array.
  • If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web request, you should ensure that you limit use of the flush parameter
  • Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format.
  • Translation entities defined in templates now use their fully qualified entity name without dots. Before:, after BackLink_Button_ss.Back. Please fix any custom language files or uses of those entities in custom code.
  • If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in admin/myprofile to ensure correct operation (it has changed its locale identifier)