Security update: Vanilla 2.6.4
Get it here: https://open.vanillaforums.com/addon/vanilla-core
This release includes 5 security patches disclosed thru our HackerOne bounty campaign. They include fixes for:
- A remote code execution exploitable only by admins.
- Two XSS vectors in different parts of the Dashboard.
- An XSS vector in the OpenID addon (must be enabled) caused by old debug code.
We also made it more difficult to maliciously change a user's email by removing the cooldown period on prompting for your password when an email change is requested.
Warning: If you have any addons (themes or plugins) in your forum install with an invalid key, you will get an error on upgrade and will need to physically delete them from your installation. Fixing them is relatively painless, but a topic for elsewhere. We no longer allow invalid keys due to one of the security vulnerabilities above.
Please upgrade to the latest version of Vanilla as soon as possible. No other changes from 2.6.3 are in this version.