Security Fix
Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers running XenForo 2.3.0 should upgrade to XenForo 2.3.0 Release Candidate 1, including XenForo Media Gallery 2.3.0 Release Candidate 1 if needed.If you also have active installs of XenForo 2.2 or XenForo 2.1 you should refer to the earlier thread with details and patch.
The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.
XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.
We recommend doing a full upgrade to resolve the issue.
XenForo & Add-ons 2.3.0 Release Candidate 1 Released
It's finally here, the first of a series of release candidates for the XenForo 2.3.0 stable release. We still have a bit more work to do and other changes and improvements in the pipeline but at this point the most serious bugs have been tackled and we don't expect many more releases before we can declare it is ready for a stable release.We strongly recommend anyone testing 2.3 during this pre-release period upgrade as each pre-release version is released.
More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.
This is pre-release software. It is not officially supported.
We do not recommend running it in production.
Please remember that this is pre-release software. It contains known bugs and incomplete functionality. We do not recommend running pre-release software in a production environment, and support is limited at this time to questions here on the community forums.
Add-ons and custom styles may be broken after upgrading to 2.3. You must test your add-ons thoroughly or look for updates. Be especially careful with add-ons that cover similar features to ones that are added to 2.3; these may conflict with the core XenForo data. If data conflicts are found, they will need to be resolved in a new add-on release or by removing the add-on before upgrading to 2.3.
If you choose to run pre-release software, it is your responsibility to ensure that you make a backup of your data. We recommend you do this before attempting an upgrade. If in doubt, always do a test upgrade on a copy of your production data.
All customers with active licenses may now download the new version from the customer area.
Download XenForo 2.3.0 Release Candidate 1
From the licensed customer area
Alongside the release of XenForo 2.3.0 Release Candidate 1, we are also releasing updated versions of each of our official add-ons:
- XenForo Media Gallery 2.3.0 Release Candidate 1 (Includes Security Fix)
- XenForo Resource Manager 2.3.0 Release Candidate 1
- XenForo Enhanced Search 2.3.0 Release Candidate 1
Download official add-ons
From the licensed customer area
Requirements
The following are minimum requirements:- PHP 7.2 or newer
- MySQL 5.7 and newer
- All of the add-ons listed here require XenForo 2.3.
- Enhanced Search requires at least Elasticsearch 7.2
Installation and upgrade instructions
Full details for how to install and upgrade XenForo can be found in the XenForo manual. One-click upgrades from XF 2.2 are possible, but you must uncheck the "Only check for stable upgrades" option in Options > Basic board information. Once the XF 2.3 upgrade has been complete, the official add-ons should be upgraded as well.Please remember that this is pre-release software. It contains known bugs and incomplete functionality. We do not recommend or support running pre-release software in a production environment. Support for pre-releases are limited to questions here on the community forums.