It looks like you're new here. If you want to get involved, click one of these buttons!
Vanilla 2.1.5 is now available. It is a security & bug fix release for the 2.1 branch.
This is an urgent upgrade for all forums.
25 files changed in this version. GitHub code diff
styleparameter in comments.
Thanks to Anand Meyyappan (thru a sponsorship by Private Internet Access) for discovering the CSRF issues and to Marcos Toledo for responsibly disclosing them. And thanks to Brandon Perry at ZeniMax Online Studios for disclosing the Insecure Direct Object Reference.
Hat tips to @hgtonight, @R_J, agauniyal, and @Shadowdare for contributing code to 2.1.5, and to @Bleistivt & @hgtonight for some quick testing when the release was fast-tracked yesterday when the IDOR was discovered.
If you are still on the 2.0 series, please upgrade immediately to 18.104.22.168 which closes the above noted security issues plus the DeliveryType issue noted in the 2.0.3 release. Reminder: We will end support of 2.0.* at the end of the year.