We have just released new versions of our products:
- WoltLab Suite 5.4.11
- WoltLab Suite 5.3.17
- WoltLab Suite 5.2.17
- WoltLab Suite 3.1.25
Stability releases (third part of the version number, also known as "patch releases") aim to solve existing problems in the current version. Like every stability release, they do not introduce new features. It is strongly recommended to apply these updates.
Security Notice
We have discovered an issue that caused a specific character in JSON strings to be improperly masked in templates when using the |encodeJSON template modifier. In a standard installation it was possible to corrupt the structured data for search engines, but could not be abused to compromise security. Plugins or apps from third parties might had been vulnerable to JavaScript execution.
Furthermore we have identified an issue with the forum that allowed users to reply to threads which they have no access to. This could have been used to create replies to private threads of users users. At no point was it possible to access other posts or other kind of content from these threads.
All WoltLab Cloud customers have already been patched to address these issues.
How to Apply Updates
Open your Administration Control Panel and navigate to "Configuration > Packages > List Packages". Please click on the button "Search for Updates" located in the right corner above the package list.
Notable Changes
The list below includes only significant changes, minor fixes or typos are generally left out.
WoltLab Suite Filebase
- The list of comments in boxes sometimes showed a mismatched file name. 5.4
WoltLab Suite Forum
- (SECURITY): Thread visibility is now properly taking into account when checking for permissions to reply to a thread. At no point was it possible to access other posts or other kind of content from these threads. 5.4 5.3 5.2 3.1
WoltLab Suite Core
- (SECURITY): Masking of JSON strings using the |encodeJSON template modifier has been fixed. In a standard installation it was possible to corrupt the structured data for search engines, but could not be abused to compromise security. Plugins or apps from third parties might had been vulnerable to JavaScript execution. 5.4 5.3 5.2 3.1
- Fixed database table creation when installing apps that use the PHP-based DDL API. 5.4 5.3
- Fixed the display of optional columns when filtering the user list in the administration interface. 5.4
- The linking of second level tabs, for example in the user group administration, was corrected. 5.4
- Fixed insertion of line breaks in code blocks on iOS. 5.4
- When updating the title image in the profile, the existence of a WebP variant is now correctly reset. 5.4
- Calling an existing CMS page with missing permissions now correctly results in an "Access denied" instead of a "Page not found" message. 5.4
- When pasting HTML from Microsoft Word, some formatting was not applied correctly. 5.4
- The insertion of elements into a so-called "ItemList" was corrected. This affects for example the insertion of tags. 5.4
- The display of the avatar in quotes was corrected in signatures. 5.4
- When using WebP smileys, the dimensions are now determined automatically. 5.4
- When exporting styles, hidden files in the image folder are no longer exported. The correction in the last update was incomplete. 5.4
- Sending e-mails via SMTP method is now officially considered as "Recommended". Sending via PHP method is affected by several restrictions due to technical reasons. 5.4
- When replacing media with small images that do not generate thumbnails, existing thumbnails are now correctly reset. 5.4
- PHP 8.1 compatibility has been improved. 5.4
