Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product
After February 6, this site will no longer have Facebook, Twitter, or OpenID sign-in options. Read our announcement about social media SSO support in 2.8 for more info.

Make sure you have a current, valid email address set in your profile and set a password so you can login without it. If you get locked out after that time, you can choose "Forgot Password" to fix it as long as a valid email is on your account.

Vanilla 2.1.1 - important security & bug release

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited August 2014 in Releases

Announcing the availability of 2.1.1, a security & bug fix release for 2.1.

It is imperative all 2.1 forums upgrade immediately.


  • HtmLawed was upgraded to close an XSS vector (thanks to Psych0tr1a for responsibly disclosing this to us & to HtmLawed for a fast patch in response).
  • Multiple XSS exploits were fixed (thanks to @x00 for responsibly disclosing and both he and @businessdad for assistance in making our patches as bulletproof as possible).
  • Fixed a Twitter SSL bug (thanks @Adrian for the patch).
  • Fixed a missing permission check in the sorting utility (thanks @R_J for the patch).
  • cleditor was patched to fix a crippling IE11 bug.
  • Profile Extender was upgraded and a security flaw in it was fixed.
  • Fixed a bug in Announcing while starting a discussion.
  • Corrected the default theme README.
  • Backported GDN_UserAuthenticationProvider.IsDefault so the latest version of jsConnect will work with 2.1.1.
  • Fixes a theme screenshot bug (thanks @hgtonight‌ for the patch).

As you can see, some extremely critical fixes are included. The only feature addition is those added to the Profile Extender addon as a result of getting backported from 2.2 (master) branch.

Diff of 2.1.1 against 2.1 gold. (32 files changed, so I don't recommend a selective upgrade on this one.) has the same XSS issues and its patch will be released this weekend is available here as



Sign In or Register to comment.