Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product
After February 6, this site will no longer have Facebook, Twitter, or OpenID sign-in options. Read our announcement about social media SSO support in 2.8 for more info.

Make sure you have a current, valid email address set in your profile and set a password so you can login without it. If you get locked out after that time, you can choose "Forgot Password" to fix it as long as a valid email is on your account.

Vanilla 2.1.5 released (and

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited November 2014 in Releases

Vanilla 2.1.5 is now available. It is a security & bug fix release for the 2.1 branch.

This is an urgent upgrade for all forums.


25 files changed in this version. GitHub code diff


  • Security: An Insecure Direct Object Reference was fixed that allowed unauthorized comment editing.
  • Security: Potential CSRF vectors were closed, including one that could allow account hijacking.
  • Fixes issue where enabling cleditor would permanently allow style parameter in comments.
  • Fixes issue notifying users of new comments in certain cases where they did not have permission to then view them.
  • Fixes OpenID bug effecting Google Sign In.
  • Multiple community-contributed bug fixes.

Thanks to Anand Meyyappan (thru a sponsorship by Private Internet Access) for discovering the CSRF issues and to Marcos Toledo for responsibly disclosing them. And thanks to Brandon Perry at ZeniMax Online Studios for disclosing the Insecure Direct Object Reference.

Hat tips to @hgtonight, @R_J, agauniyal, and @Shadowdare for contributing code to 2.1.5, and to @Bleistivt & @hgtonight for some quick testing when the release was fast-tracked yesterday when the IDOR was discovered.

If you are still on the 2.0 series, please upgrade immediately to which closes the above noted security issues plus the DeliveryType issue noted in the 2.0.3 release. Reminder: We will end support of 2.0.* at the end of the year.



Sign In or Register to comment.