Vanilla 2.1.5 released (and 184.108.40.206)
Vanilla 2.1.5 is now available. It is a security & bug fix release for the 2.1 branch.
This is an urgent upgrade for all forums.
25 files changed in this version. GitHub code diff
- Security: An Insecure Direct Object Reference was fixed that allowed unauthorized comment editing.
- Security: Potential CSRF vectors were closed, including one that could allow account hijacking.
- Fixes issue where enabling cleditor would permanently allow
styleparameter in comments.
- Fixes issue notifying users of new comments in certain cases where they did not have permission to then view them.
- Fixes OpenID bug effecting Google Sign In.
- Multiple community-contributed bug fixes.
Thanks to Anand Meyyappan (thru a sponsorship by Private Internet Access) for discovering the CSRF issues and to Marcos Toledo for responsibly disclosing them. And thanks to Brandon Perry at ZeniMax Online Studios for disclosing the Insecure Direct Object Reference.
Hat tips to @hgtonight, @R_J, agauniyal, and @Shadowdare for contributing code to 2.1.5, and to @Bleistivt & @hgtonight for some quick testing when the release was fast-tracked yesterday when the IDOR was discovered.
If you are still on the 2.0 series, please upgrade immediately to 220.127.116.11 which closes the above noted security issues plus the DeliveryType issue noted in the 2.0.3 release. Reminder: We will end support of 2.0.* at the end of the year.