Vulnerabilities have been announced in CakePHP, the framework used by COmanage Registry. Details of these vulnerabilities have not yet been announced. Framework versions earlier than 2.7.6 are affected, which means all versions of Registry prior to 1.0.0, including the 1.0.0 release candidates, are likely to be affected.
The severity of these vulnerabilities is not yet known.
The exposure from these vulnerabilities is not yet known.
Upgrade to COmanage Registry v1.0.0 or later.
COmanage Registry v0.9.4 was released using CakePHP 2.7.1. It may be possible to drop in CakePHP 2.7.6 or a later 2.7.x release without needing to upgrade to Registry v1.0.0, however this has not been tested.
COmanage Registry v0.9.2 and v0.9.3 were released using CakePHP 2.6.1. It may be possible to drop in CakePHP 2.6.12 or a later 2.6.x release without needing to upgrade to Registry v1.0.0, however this has not been tested.
Older Registry versions were released using older CakePHP releases. Framework deprecations and other semi-incompatible changes are likely to complicate a similar "drop in replacement" approach.
As details of the vulnerabilities have not yet been announced, not much can be said about the exact impact. The safest approach is to upgrade as soon as practical to an unaffected version. As details about the vulnerabilities have not yet been released, it is not yet clear what the earliest affected version is.