Ozzy47
Administrator
- Thread starter Thread starter XenForo
- Start date Start date Thursday at 6:53 PM
It is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.
The issues identified are as follows:
- Prevention of a possible stored XSS (cross-site scripting) exploit related to BB code rendering (thank you to Antisocial)
- Prevention of a possible XSS exploit related to lightbox usage in posts (thank you UwU)
- Prevention of a possible RCE (remote code execution) exploit via authenticated, but malicious, admin users (thank you UwU)
We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually. See below for further details.
- Download 239-patch.zip
- Extract the .zip file
- Upload the contents of the upload directory to the root of your XenForo installation
- Rebuild master data by logging in to your install URL, or running
xf:rebuild-master-dataon the command line
As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area or upgrade from your Admin control panel (Tools > Check for upgrades...).
Directly from your admin control panel
If you are a XenForo Cloud customer, your installations have already been patched and no further action is required. You will remain on version 2.3.8 until 2.3.10 is released.
The following public templates have had changes:
- attachment_macros
- bb_code_tag_attach
- lightbox_macros
As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.
Please note that XenForo 2.3 has higher system requirements than earlier versions.
The following are minimum requirements:
- PHP 7.2 or newer (PHP 8.3 recommended)
- MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
- All of the official add-ons require XenForo 2.3.
- Enhanced Search requires at least Elasticsearch 7.2.
Attachments
- 239-patch.zip
239-patch.zip
573.6 KB · Views: 112
Written by
Company info
There is no better platform upon which to grow your community.
Engage your customers with the premium community experience.
Staff member
- Messages
707 - Reaction score
24,942 - Points
503
XenForo 2.2.18 has also been released. Please refer to the release notes above. Only two of the three security issues apply to XenForo 2.2.18. The stored XSS is not applicable.
We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually. See below for further details.
- Download 2218-patch.zip
- Extract the .zip file
- Upload the contents of the upload directory to the root of your XenForo installation
Attachments
- 2218-patch.zip
2218-patch.zip
576.4 KB · Views: 59
XenForo Media Gallery 2.3.9 Released
Today we are also releasing Media Gallery 2.3.9 to address a failing template modification caused by a change in 2.3.9. This is now available to download in the customer area, one-click upgrades, and being rolled out to XenForo Cloud automatically.2.3.9 patch files for pre-XF 2.3.8 installs
Some users may struggle to apply the patch on pre-2.3.8 installs. If you are patching 2.3.7 or earlier you may try this patch.Attachments
- 239-patch-pre238.zip
239-patch-pre238.zip
563.3 KB · Views: 41
Continue reading...