Oxygen 4.8.2 is now available.
By design, Oxygen's "Client Control" feature allows those with Oxygen access to execute PHP.
This feature is off by default, and there is a security notice labeled "Important Security Warning" directly above the feature with more details. This security warning has been present for the last 6 years.
A security researcher reported that even though our UI clearly stated the risks of granting Oxygen access to untrusted users, our documentation in this area was lacking. We've updated our documentation and added a link to it from the UI.
Oxygen 4.8.2 is not an urgent or necessary update. There is no RCE vulnerability in Oxygen. The only issue was in our documentation.
Even though the issue was in our documentation and not our actual software, there will be a CVE reporting a vulnerability in Oxygen 4.8.1 and below. We're releasing this update as a courtesy so you can avoid getting erroneous emails from your host about needing to update.
Client Control will continue to work as it always has.