TOPIC: [SOLVED] 2.7.1 - Serious Security Flaw Remains

17th Dec Update - This issue remains in 2.7.1 for 'Pay Options' - Someone can get to your system and change for example the PayPal account where all the money is sent!!!!!!

Just to warn everyone - If you are using the front end Event Management screen - Make sure you configure access to it as registered only - if you leave it as the default then a non logged in user and access and play around with / delete all your events!!!!!! :shock:

A ticket has been posted on this and the DTH team are aware of the issue....

In 2.0.7i this is much improved, but there's still a easy way non-registered users can cause damage....

If they select 'Pay Options' on the Events Control Panel page then they can access, change and delete all the configured pay options!!!!!! :shock:

Dec 17th UPDATE - Confirming this issue REMAINS with the latest version 2.7.1..... It's just limited to the 'Pay Options' item on the Events Control Panel - but that's serious enough!!!! :shock:

Support Ticket has been updated too.....

This is fixed in 2.7.1b. Requires a reinstall as the fix is done in the database, not a file. Thanks.