Update: WoltLab Suite 5.4.11 / 5.3.17 / 5.2.17 / 3.1.25

  • We have just released new versions of our products:

    • WoltLab Suite 5.4.11
    • WoltLab Suite 5.3.17
    • WoltLab Suite 5.2.17
    • WoltLab Suite 3.1.25

    Stability releases (third part of the version number, also known as "patch releases") aim to solve existing problems in the current version. Like every stability release, they do not introduce new features. It is strongly recommended to apply these updates.

    Security Notice

    We have discovered an issue that caused a specific character in JSON strings to be improperly masked in templates when using the |encodeJSON template modifier. In a standard installation it was possible to corrupt the structured data for search engines, but could not be abused to compromise security. Plugins or apps from third parties might had been vulnerable to JavaScript execution.

    Furthermore we have identified an issue with the forum that allowed users to reply to threads which they have no access to. This could have been used to create replies to private threads of users users. At no point was it possible to access other posts or other kind of content from these threads.

    All WoltLab Cloud customers have already been patched to address these issues.

    How to Apply Updates

    Open your Administration Control Panel and navigate to "Configuration > Packages > List Packages". Please click on the button "Search for Updates" located in the right corner above the package list.

    Notable Changes

    The list below includes only significant changes, minor fixes or typos are generally left out.

    WoltLab Suite Filebase

    • The list of comments in boxes sometimes showed a mismatched file name. 5.4

    WoltLab Suite Forum

    • (SECURITY): Thread visibility is now properly taking into account when checking for permissions to reply to a thread. At no point was it possible to access other posts or other kind of content from these threads. 5.4 5.3 5.2 3.1

    WoltLab Suite Core

    • (SECURITY): Masking of JSON strings using the |encodeJSON template modifier has been fixed. In a standard installation it was possible to corrupt the structured data for search engines, but could not be abused to compromise security. Plugins or apps from third parties might had been vulnerable to JavaScript execution. 5.4 5.3 5.2 3.1
    • Fixed database table creation when installing apps that use the PHP-based DDL API. 5.4 5.3
    • Fixed the display of optional columns when filtering the user list in the administration interface. 5.4
    • The linking of second level tabs, for example in the user group administration, was corrected. 5.4
    • Fixed insertion of line breaks in code blocks on iOS. 5.4
    • When updating the title image in the profile, the existence of a WebP variant is now correctly reset. 5.4
    • Calling an existing CMS page with missing permissions now correctly results in an "Access denied" instead of a "Page not found" message. 5.4
    • When pasting HTML from Microsoft Word, some formatting was not applied correctly. 5.4
    • The insertion of elements into a so-called "ItemList" was corrected. This affects for example the insertion of tags. 5.4
    • The display of the avatar in quotes was corrected in signatures. 5.4
    • When using WebP smileys, the dimensions are now determined automatically. 5.4
    • When exporting styles, hidden files in the image folder are no longer exported. The correction in the last update was incomplete. 5.4
    • Sending e-mails via SMTP method is now officially considered as "Recommended". Sending via PHP method is affected by several restrictions due to technical reasons. 5.4
    • When replacing media with small images that do not generate thumbnails, existing thumbnails are now correctly reset. 5.4
    • PHP 8.1 compatibility has been improved. 5.4
  • WoltLab Suite 5.4.12 / 5.3.18 / 5.2.18 / 3.1.26

    The previous update included a change to the behavior of the |encodeJSON template modifier to mitigate a potential security issue. This caused the structured data (used for the Google search engine and others) to contain encoded characters. While not causing any security issues itself it did prevent search engines from correctly evaluating the structured data.

    For Developers

    The |json template modifier was implemented in the development version of WoltLab Suite 5.5 as a replacement for the |encodeJSON modifier that has several flaws. The decision was made to backport this change to WoltLab Suite 3.1 and newer in order to resolve the issue addressed in this update.

    If you are working with JSON data, most notably ld+json content, we highly suggest that you review the changes in the following commit. Please take note that the removal of the quotes around the string is intentional, because |json internally relies on \json_encode().

    Notable Changes

    WoltLab Suite Blog

    • Structured data in templates was malformed. 3.1 5.2 5.3 5.4

    WoltLab Suite Calendar

    • Structured data in templates was malformed. 5.3 5.4

    WoltLab Suite Forum

    • Structured data in templates was malformed. 5.2 5.3 5.4

    WoltLab Suite Core

    • Structured data in templates was malformed. 3.1 5.2 5.3 5.4
    • Introduced the |json template modifier as a replacement for |encodeJSON. 3.1 5.2 5.3 5.4

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!