HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.1.5 released (and

LincLinc Detroit Admin
edited November 2014 in Releases

Vanilla 2.1.5 is now available. It is a security & bug fix release for the 2.1 branch.

This is an urgent upgrade for all forums.


25 files changed in this version. GitHub code diff


  • Security: An Insecure Direct Object Reference was fixed that allowed unauthorized comment editing.
  • Security: Potential CSRF vectors were closed, including one that could allow account hijacking.
  • Fixes issue where enabling cleditor would permanently allow style parameter in comments.
  • Fixes issue notifying users of new comments in certain cases where they did not have permission to then view them.
  • Fixes OpenID bug effecting Google Sign In.
  • Multiple community-contributed bug fixes.

Thanks to Anand Meyyappan (thru a sponsorship by Private Internet Access) for discovering the CSRF issues and to Marcos Toledo for responsibly disclosing them. And thanks to Brandon Perry at ZeniMax Online Studios for disclosing the Insecure Direct Object Reference.

Hat tips to @hgtonight, @R_J, agauniyal, and @Shadowdare for contributing code to 2.1.5, and to @Bleistivt & @hgtonight for some quick testing when the release was fast-tracked yesterday when the IDOR was discovered.

If you are still on the 2.0 series, please upgrade immediately to which closes the above noted security issues plus the DeliveryType issue noted in the 2.0.3 release. Reminder: We will end support of 2.0.* at the end of the year.



  • What is the procedure for upgrading vanilla forums ?

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    Follow these steps to upgrade Vanilla when a new stable release is announced.

    Backup your database and conf/config.php file somewhere safe.
    Upload the new release's files so they overwrite the old ones.
    Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
    If it fails, try it a second times by refreshing the page.

    To upgrade to 2.1 from 2.0.18, add this step:

    Delete the file /themes/mobile/views/discussions/helper_functions.php

    From here: https://github.com/vanilla/vanilla

  • LincLinc Detroit Admin

    This release was fast-forwarded from 2.1.4 to 2.1.5 to fix a simple merge flaw in the settings controller.

  • Im using 2.1.3

    What do i need to do to get on 2.1.5 ?

    I may have changed some of the updated files in my 2.1.3 so its good to change the lines in thosr 2 files by hand?

    Wanna do it now.

  • LincLinc Detroit Admin

    @Schryvers said:
    Im using 2.1.3

    What do i need to do to get on 2.1.5 ?

    The upgrade instructions are in the README file.

    We do not recommend directly modifying core files.

  • LincLinc Detroit Admin

    I immediately regret naming it instead of 2.0.19. I'm so over 4-part names. :p

  • I did downloaded the vanilla core 2.1.5 and uploaded the 25 files that are changed,

    go to yourforum.com/index.php?p=/utility/update

    that said the update was succesfull.. but when i check in my conf/config.php the version says 2.1.3???

  • LincLinc Detroit Admin

    What it says in the config is irrelevant.

  • Then im happy to say im on 2.1.5 and its working magnific dude!

  • After installation, my forum returns a blank white page .
    Link - http://gomilitary.in/Forum/

  • R_JR_J Ex-Fanboy Munich Admin

    @onesoftindiana‌: please read those two links to find out more about “blank screen”:


    Then please report about the actual error.

  • Thanks for the update, @Linc! Keep up the good work, everyone! :)

    Add Pages to Vanilla with the Basic Pages app

  • I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • chanhchanh OngETC.com - CMS Researcher ✭✭

    Very nice! Just copy over it and it is upgraded.


  • Is it ok to clone directly from the git repo to production site and install?

  • R_JR_J Ex-Fanboy Munich Admin

    The 2.1 branch on GitHub is identical to the zip file from here.

  • LincLinc Detroit Admin

    @gohunter The master branch on GitHub is very different and not yet tested for distribution. Use at your own risk. You can clone the 2.1 branch safely.

  • Are you suggesting that it is better to just use the zip file with 2.1.5?

  • peregrineperegrine MVP
    edited November 2014

    if you don't know how to clone the 2.1 branch via github. just get the zip. both using zip or cloning proper branch work. just installing zip is easy, unless you have a reason to use github and plan to send in commits to vanilla. Whatever is easiest and does the job. just don't use the wrong branch.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • what is the last STABLE version?

Sign In or Register to comment.