- Affected version
- 2.2.13
When a user is merged,
So if a user starts a user upgrade, and the merge occurs before site callback; the user upgrade will get into a failed state as the user the upgrade applies to no longer exists (or partially exists depending on timings).
There is a
So it is possible for an old record to be read, and then the rows to be updated resulting in lost updates. This is most likely to be seen with alerts on a highly active site, but the impact on a user-upgrade going missing when dealing with money is the most significant impact.
xf_purchase_request.user_id doesn't appear to be updated when updating various records linking to that user.So if a user starts a user upgrade, and the merge occurs before site callback; the user upgrade will get into a failed state as the user the upgrade applies to no longer exists (or partially exists depending on timings).
There is a
ContentChange::$updates which is a list of tables to be updated during a change, but this appears vulnerable to a race condition since it needs to incrementally work table-by-table.So it is possible for an old record to be read, and then the rows to be updated resulting in lost updates. This is most likely to be seen with alerts on a highly active site, but the impact on a user-upgrade going missing when dealing with money is the most significant impact.
Last edited:
