Vanilla Forums 2.5.2
20 May 2018
Vanilla Forums version 2.5.2 is now available (security release).
Upgrading to Vanilla Forums 2.5.2
Vanilla Forums 2.5.2 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Vanilla Forums updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Vanilla Forums install to test the 2.5.2 upgrade prior to applying it live. Get started managing your Vanilla Forums installations with Installatron
What's New in Vanilla Forums 2.5.2
Security
- Prevent activity record data from leaking in AJAX response.
- Fix XSS in Editor attachment viewer.
- Fix XSS is SSO connection screen.
- Regenerate confirmation code when changing email address.
- Require confirmation of manually-entered emails during SSO.
- Fix permission check on private conversation participants adding messages.
- Fix permission-based email leaking in private conversations.
- Fix permission problem in "getRecord" function.
- Fix ownership checking of drafts before allowing overwrite.
- Blacklist the 'download' attribute from user-generated content.
- Fix our use of cURL to not allow non-HTTP redirects.
Bug Fixes
- Fix MySQL Strict Mode error during install.
- Fix Chrome-specific bug in WYSIWYG editor.
- Fix our release-building tool (Phing) so it doesn't omit the default htaccess file.