wbb Update: WoltLab Suite 5.5.10 / 5.4.26 / 5.3.27

[Guest Alexander Ebert]

We have just released new versions of our products:

 

• WoltLab Suite 5.5.10
  
• WoltLab Suite 5.4.26
  
• WoltLab Suite 5.3.27
  

 

Stability releases (third part of the version number, also known as “patch releases”) aim to solve existing problems in the current version. Like every stability release, they do not introduce new features. It is strongly recommended to apply these updates.

 

[HEADING=1]Security Notice[/HEADING]

 

Some forms for editing content only took into account whether the accessing user could edit the content, but not whether the content was also accessible to the accessing user. This resulted in moderators or administrators being able to edit content by cleverly manipulating the accessed URL, but they were not able to access it regularly.

 

 

 

The impact of this incorrect permission check was limited to moderators and administrators who had permissions to edit third-party content. Only a few selected forms were affected by this bug. All affected forms are explicitly named in the list of changes without exception.

 

 

 

All installations of WoltLab Cloud customers have already been updated.

 

[HEADING=1]How to Apply Updates[/HEADING]

 

Open your Administration Control Panel and navigate to “Configuration → Packages → List Packages”. Please click on the button “Search for Updates” located in the right corner above the package list.

 

[HEADING=1]Notable Changes[/HEADING]

 

The list below includes only significant changes, minor fixes or typos are generally left out.

 

[HEADING=2]WoltLab Suite Blog[/HEADING]

• (SECURITY) Authorized moderators and administrators could edit blogs and blog entries that were not accessible by them. 5.5 5.4 5.3
  
• Deleting a category now also deletes subscriptions from the database. 5.5
  

[HEADING=2]WoltLab Suite Calendar[/HEADING]

• (SECURITY) Authorized moderators and administrators could edit appointments which were not accessible by them. 5.5 5.4 5.3
  
• Recognition for overlapping appointments is now done correctly for all-day appointments. 5.5
  
• Inviting users to an appointment no longer causes the time of their own participation decision to be changed. 5.5
  
• When removing participants, the entire list of participants was sometimes mistakenly hidden. 5.5
  

[HEADING=2]WoltLab Suite Filebase[/HEADING]

• (SECURITY) Authorized moderators and administrators could edit files that were not accessible by them. 5.5 5.4 5.3
  
• Notification about a deleted file no longer causes an error in the RSS feed of notifications. 5.5
  
• Deleting a category now also deletes subscriptions from the database. 5.5
  

[HEADING=2]WoltLab Suite Forum[/HEADING]

• (SECURITY) Authorized moderators and administrators could edit posts and threads that were not accessible by them. 5.5 5.4 5.3
  
• Editing an “announcement” by a moderator without the permission to create announcements no longer clears the announcement’s forum association. 5.5
  
• The creation time of the thread is now correctly adjusted when a disabled “to immediately” thread is active with “update time”. 5.5
  

[HEADING=2]WoltLab Suite Gallery[/HEADING]

• Deleting a category now also deletes the subscriptions from the database. 5.5
  

• When delivering images, an error in the HTTP headers was corrected, which could lead to caching of incorrect data in rare cases when changing the image or thumbnail. 5.5
  
• Deleting images via moderation no longer results in an error message and the reason for deletion is now stored correctly. The original change was made in WoltLab Suite 5.5.5 to properly move images to the recycle bin when deleting them via moderation instead of deleting them completely. 5.5
  
• Deleting an already deleted image via moderation no longer marks the moderation entry with an error message. Instead, the entry is silently marked as done, and the deletion reason for the image remains on the original reason. 5.5
  

[HEADING=2]WoltLab Suite Core: Elasticsearch[/HEADING]

• Fixed processing of search terms that are completely enclosed in quotes. 5.5
  

[HEADING=2]WoltLab Suite Core: Exporter[/HEADING]

• Burning Board 3
  
  • An error in processing certain values from the database was fixed. 5.5
    

[HEADING=2]WoltLab Suite Core[/HEADING]

• (SECURITY) Authorized moderators and administrators could edit articles that were not accessible by them. 5.5 5.4 5.3
  
• Users who are allowed to submit articles (but not publish them) can now edit their own articles until they are published. 5.5
  
• Editing a user rank failed if the deposited graphic did not exist anymore. 5.5
  
• Outgoing rich embed requests now set accept-language header with the default community language. 5.5
  
• Checking the maximum length of the “About me” text now works correctly. 5.5
  
• When creating polls the answers were sometimes encoded twice. 5.5
  
• Deleting an article category now also deletes subscriptions from the database. 5.5
  
• Deleting the last category of an article now also deletes the article. 5.5
  
• A bug with clipboard processing in the media system was fixed. 5.5
  
• Images taken on edge were not scaled correctly when pasted into messages. 5.5
  
• External links in the main menu, if the setting to open external links in a new tab is active, now open properly in a new tab. 5.5
  
• A compatibility problem when running under PHP 8.1 was fixed. 5.5
  
• For developers: Single quotes in strings on the error page are escaped correctly again. 5.5
  

 

Continue reading...