Contributed by CVE references:
- various missing input validations within /modules/Xanthia/ 
- missing input validation within /modules/Messages/readpmsg.php 
- possible path disclosure within /user.php 
- possible path disclosure within /modules/News/article.php 
- possible remote code injection within /includes/pnMod.php 
- possible cross-site-scripting in /index.php
It is recommended that all admins do an immediate upgrade of their sites to v0.750b by applying the latest security fix package available from the locations listed below. Since the Xanthia-module will be updated the site's theme needs to be set to ExtraLite (or any other non-Xanthia theme) prior to applying the update. After uploading the fixpackage the modules list needs to be regenerated and the Xanthia module upgraded within Administration-Modules.
Please note the main package has been updated to include this advisory so there is no need to apply this patch if you have downloaded PostNuke after the date of this announcement.
The /index.php and /includes/pnMod.php fixes are also available for the current .760rc4a Release Candidate within the changed files only package, the main package has also been updated with the fixes.
1. PostNuke 0.750 (tar.gz format)
Size: 2407332 Bytes
2. PostNuke 0.750 (zip format)
Size: 3501230 Bytes
3. Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
Size: 160550 Bytes
4. Security Fix (changed files only) for PostNuke 0.750 (.zip format)
Size: 247175 Bytes
The  exploits have been originally found by Maksymilian Arciemowicz from http://www.securityreason.com/ and were reported via security contact. The path disclosure issues  were found by 'Diabolic Crac' and reported to various trackers. The remote code injection  was reported by Mohamad Saleh Raub from http://www.scan-associates.net to the security contact.
Andreas Krapohl <larsneo>
PostNuke Development Team