Update: WoltLab Suite 5.5.14 / 5.4.30

  • We have just released new versions of our products:

    • WoltLab Suite 5.5.14
    • WoltLab Suite 5.4.30

    Stability releases (third part of the version number, also known as “patch releases”) aim to solve existing problems in the current version. Like every stability release, they do not introduce new features. It is strongly recommended to apply these updates.

    Security Notice

    WoltLab Suite Gallery allows individual configuration of the allowed file extensions for uploaded images and videos, using a similar logic as for file attachments, for example. Unlike file attachments, however, the images and videos uploaded in this way are stored while retaining the file extensions.

    If an administrator were to mistakenly allow “php” or similar as a file extension, this would allow authorized users to upload and run this type of file. In a standard installation this problem does not occur, it requires an administrator to actively allow these file extensions. With this update, uploading this type of files as image or video is generally prevented in WoltLab Suite Gallery.

    WoltLab Cloud customers were generally not affected by this vulnerability due to the hardened configuration of the systems. Regardless of this, all installations of WoltLab Cloud customers have of course already been updated.

    How to Apply Updates

    Open your Administration Control Panel and navigate to “Configuration → Packages → List Packages”. Please click on the button “Search for Updates” located in the right corner above the package list.

    Notable Changes

    The list below includes only significant changes, minor fixes or typos are generally left out.

    WoltLab Suite Forum

    • Special characters in field names of thread forms were processed incorrectly. 5.5
    • Fixed a bug in the internal implementation of the search, which became noticeable only with WoltLab Suite 6.0. 5.5
    • Modified requests to edit a starting post with thread form can no longer result in a system error message. 5.5

    WoltLab Suite Gallery

    • SECURITY A misconfiguration of allowed file extensions for images and videos by an administrator could allow execution of arbitrary PHP code. 5.5 5.4

    WoltLab Suite Core

    • WoltLab news on the home page of the admin panel was completely reworked. 5.5 5.4
    • For developers: The processing of commas in Ui/ItemList/Static was fixed. 5.5 5.4
    • For developers: Updated tslib. 5.5
    • For developers: UTF-8 sequences are no longer broken when truncating string parameters in SQL queries in the benchmark, so the result remains a valid UTF-8 string. 5.5

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!