Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Vanilla 2.1.1 - important security & bug release

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited August 2014 in Releases

Announcing the availability of 2.1.1, a security & bug fix release for 2.1.

It is imperative all 2.1 forums upgrade immediately.


  • HtmLawed was upgraded to close an XSS vector (thanks to Psych0tr1a for responsibly disclosing this to us & to HtmLawed for a fast patch in response).
  • Multiple XSS exploits were fixed (thanks to @x00 for responsibly disclosing and both he and @businessdad for assistance in making our patches as bulletproof as possible).
  • Fixed a Twitter SSL bug (thanks @Adrian for the patch).
  • Fixed a missing permission check in the sorting utility (thanks @R_J for the patch).
  • cleditor was patched to fix a crippling IE11 bug.
  • Profile Extender was upgraded and a security flaw in it was fixed.
  • Fixed a bug in Announcing while starting a discussion.
  • Corrected the default theme README.
  • Backported GDN_UserAuthenticationProvider.IsDefault so the latest version of jsConnect will work with 2.1.1.
  • Fixes a theme screenshot bug (thanks @hgtonight‌ for the patch).

As you can see, some extremely critical fixes are included. The only feature addition is those added to the Profile Extender addon as a result of getting backported from 2.2 (master) branch.

Diff of 2.1.1 against 2.1 gold. (32 files changed, so I don't recommend a selective upgrade on this one.) has the same XSS issues and its patch will be released this weekend is available here as



Sign In or Register to comment.