XenForo 2.1.10 Patch 2 Released (Includes Security Fix)

XenForo 2.1.10 is now available for all licensed customers to download. We recommend that all customers running previous versions of XenForo 2.1 upgrade to this release to benefit from increased stability.

Most importantly, this release fixes a security vulnerability in XenForo.

The issue is a XSS vulnerability. XSS (Cross Site Scripting) issues allow scripts and malicious HTML to be injected into the page, potentially allowing data theft or unauthenticated access. The vulnerability requires some very specific steps to be taken, involving pasting malicious content into the XenForo rich text editor, which may mean it is difficult to trigger. XenForo extends thanks to @TickTackk for reporting the issue.

While we recommend doing a full upgrade to resolve this issue, you can also patch the issue yourself with the attached file.

To patch your existing installation, please follow these steps:
  1. Download the patch files which are contained in a file called 2110patch.zip
  2. Extract the zip file to your computer, which should contain the following files:
    1. upload/js/xf/editor.js
    2. upload/js/xf/editor.min.js
    3. upload/js/xf/editor-compiled.js
  3. Upload the contents of the upload directory to the root of your XF installation.
  4. This will overwrite the following files:
    1. js/xf/editor.js
    2. js/xf/editor.min.js
    3. js/xf/editor-compiled.js
Note: If you decide to patch the files instead of doing a full upgrade, your "File health check" will report these three files as having "Unexpected contents". Because these files no longer contain the same contents your version of XF was shipped with, this is expected and can be safely ignored.

For instructions on how to resolve the issue by upgrading, and to see what else has changed in XenForo 2.1.10, please read on.

Download XenForo 2.1.10
or
Upgrade directly from within your control panel


When we released XenForo 2.0.2 we told you that we wanted to start collecting certain information about your XenForo installation and the server on which it is installed. The data that we collect is your PHP version, MySQL version and your XenForo version. This information helps us make important decisions such as which minimum PHP version we should target for future releases and helps us get a better understanding of how quickly new XF versions are adopted.

In addition to the aforementioned data, we would also like to start getting an understanding of how many add-ons our customers have installed plus the specific add-on IDs of any official XenForo add-ons you have installed.

During this upgrade you will be prompted again whether you would like to provide the usage statistics or not.

This information is, and always will be, entirely anonymous and does not include any personal or private information, but it is a huge help.

Some of the other changes in XF 2.1.10 include:

The following public templates have had changes:
  • _help_page_bb_codes
  • app_body.less
  • bb_code_tag_attach
  • code_editor
  • conversation_list
  • core_datalist.less
  • core_input.less
  • core_menu.less
  • core_overlay.less
  • editor.less
  • editor_base.less
  • editor_dialog_media
  • forum_post_quick_thread
  • forum_post_thread
  • forum_post_thread_chooser
  • forum_view
  • lightbox.less
  • lost_password_confirm
  • PAGE_CONTAINER
  • payment_cancel_recurring_confirm
  • payment_initiate.less
  • quick_reply_macros
  • share_page_macros
  • thread_reply
  • thread_view
  • widget_html
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area.

Note: add-ons, customizations and styles made for XenForo 1.x are not compatible with XenForo 2.x. If your site relies upon these for essential functionality, ensure that a XenForo 2 version exists before you start to upgrade. We strongly recommend you make a backup before attempting an upgrade.

Current Requirements

Please note that XenForo 2.1.x has higher system requirements than XenForo 1.x.

The following are minimum requirements:

  • PHP 5.6 or newer (PHP 7.4 recommended)
  • MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
  • All of the official add-ons require XenForo 2.1.
  • Enhanced Search requires at least Elasticsearch 2.0.
Installation and Upgrade Instructions for XenForo 2.1

Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual.

If you are already running XF 2.1 or above we strongly recommend upgrading directly from within your control panel.

Note that when upgrading from XenForo 1.x, all add-ons will be disabled and style customizations will not be maintained. New versions of add-ons will need to be installed and customizations will need to be redone. We strongly recommended that you make a backup before attempting an upgrade. Once upgraded, you will not be able to downgrade without restoring from a backup.
 

Attachments

XenForo 2.1.10 Patch 2 Released

Shortly after releasing 2.1.10, we became aware of an incompatibility related to how some add-ons add custom CSS to the control panel. This could lead to the control panel appearing unstyled. In order to resolve this, we have released XenForo 2.1.10 Patch 2.

You can perform the upgrade directly from your control panel by going to Tools > Check for upgrades (<url>/admin.php?tools/upgrade-check if you do not see the link due to display issues). You can also download the update from your Customer area and upgrade manually.

(Note that Patch 1 was briefly released and has been superseded with Patch 2 to resolve this issue.)
 
Back
Top Bottom