We have just released new versions of our products:
- WoltLab Suite 5.5.11
- WoltLab Suite 5.4.27
- WoltLab Suite 5.3.28
Stability releases (third part of the version number, also known as “patch releases”) aim to solve existing problems in the current version. Like every stability release, they do not introduce new features. It is strongly recommended to apply these updates.
Following the discrepancies we previously discovered when checking permissions for managing articles, we performed more extensive tests. It was discovered that articles could be moved to arbitrary categories via the multi-selection. This allowed an authorized moderator or administrator to craft a malicious request to the server to move articles that the user did not have access to into categories that the user does have access to. We estimate the severity of this error to be minor, however, it is an permissions validation error and therefore we generally classify it as a security issue.
In another case, while reviewing a proposed change to the program code, we noticed that the implementation of StringUtil.unescapeHTML() decodes data in the wrong order. This can result in a string being generated that does not match the original version. The incorrect processing does not pose a direct threat, but the incorrectly generated string can potentially lead to incorrect behavior during further processing. The correct decoding and encoding of HTML is of fundamental importance, therefore we also classify this error as a security issue.
We have included updates to the supplied “guzzlehttp/psr7” and “laminas/laminas-diactoros” libraries that address an error in HTTP header checking. Each of these is a so-called “backport”, where we have included corrections to an older version of the libraries for compatibility reasons.
All installations of WoltLab Cloud customers have already been updated.
How to Apply Updates
Open your Administration Control Panel and navigate to “Configuration → Packages → List Packages”. Please click on the button “Search for Updates” located in the right corner above the package list.
The list below includes only significant changes, minor fixes or typos are generally left out.
WoltLab Suite Calendar
- The restriction to participate only if a user has previously been invited can now be changed for existing events. 5.5
- When using a 32-bit PHP, the month and week view of events in December 2037 is no longer accessible, because the following month January 2038 cannot be rendered correctly using 32-bit timestamps. 5.5
WoltLab Suite Filebase
- A rendering issue in the preview overlay of files has been resolved. 5.5
WoltLab Suite Core: Exporter
- WoltLab Suite Forum 4.x/5.x
- Categories with empty descriptions are now properly imported. 5.5
WoltLab Suite Core: Infractions
- The text of a predefined warning is now filled in properly even if the corresponding moderator has no permission to issue individual warnings. 5.5
WoltLab Suite Core
- (SECURITY) The permissions of moderators and administrators are now properly checked before assigning articles to a new category. 5.5 5.4 5.3
- (SECURITY) The order of decoding steps inside of StringUtil.unescapeHTML() was fixed. 5.5 5.4 5.3
- (SECURITY) Fixes in the external “guzzlehttp/psr7” library. 5.5 5.4 5.3
- (SECURITY) Fixes in the external “laminas/laminas-diactoros” library. 5.5
- Various corrections without any impact on the security have been made to the authorization checks of the article system. In particular, the permission to manage own articles is now usable without restrictions. 5.5
- Fixed a bug that caused texts with certain HTML elements to be included in the search index incorrectly. 5.5
- Editing multilingual content with the ' character works correctly now. 5.5
- Using mentions in the administration interface no longer causes an error. 5.5
- Importing styles as part of a package installation no longer compiles the SCSS, since at the end of the package installation the cache is cleared anyway and the compiled CSS is discarded. 5.5
- For developers: StringUtil::trim() can now process non-UTF-8 input without yielding an error message. However, the result is explicitly undefined. 5.5
- For developers: |is_string is now a valid template modifier. 5.5
- For developers: Checkbox-based FormBuilder fields now work correctly when submitted via AJAX. 5.5
- For developers: The articleLikeButtons template event was added to article. 5.5