Releases XenForo 2.3 Released Upgrade Nulled By XnForo.Ir 2.3.10

Some of the changes in XF 2.3.10 include:

• Ensure "View Older Results" link appears on last page of search results
• Ensure "No such recipient" bounce responses are classified as hard bounces
• Ensure "Account Closed" bounce responses are classified as hard bounces
• Ensure "Recipient not found" bounce responses are classified as hard bounces
• Ensure "mailbox is disabled" bounce responses are classified as hard bounces
• Ensure "not configured to receive" bounce responses are classified as hard bounces
• Prevent inet_pton() ValueError when IP address contains null bytes
• Use original Email object for error logging after DKIM signing to prevent undefined method error
• Skip array values during custom field multiselect validation to prevent Array to string conversion warning
• Normalize discouragement delay min/max values to prevent mt_rand() ValueError
• Suppress dns_get_record() warning during DKIM verification to prevent job crash on DNS failure
• Prevent alerts from being sent to banned users
• Correct OAuth2 token revocation to properly invalidate both access and refresh tokens
• Respect direction parameter for multi-column sort ordering in Finder
• Re-enable passkey button when WebAuthn registration or authentication is aborted
• Add missing bookmark_id index to xf_bookmark_label_use table
• Prevent accumulating whitespace in GenerateFinders CLI command on repeated runs
• Avoid exception-based flow control in getFinder for entity class resolution
• Set explicit working directory for sub-processes to prevent failure when CWD is inaccessible
• Prevent type error when custom field type changes with preserved values
• Include purchasable ID in Stripe product and plan ID generation
• does not round-trip after editing a post
• Implement ContainableInterface and DatableInterface on various child content entities
• Create template when generating a route with xf-make:route.

Today, XenForo has released XenForo 2.3.9, a critical security update designed to address several recently reported potential security vulnerabilities. This release focuses exclusively on security fixes. Any bug fixes that were previously expected to be included in version 2.3.9 have now been officially postponed and will be delivered with XenForo 2.3.10.

XenForo 2.3.9 is now available for download to all licensed customers. To ensure optimal security, improved stability, and protection against known exploits, we strongly recommend that all customers running earlier versions of XenForo 2.3 upgrade to XenForo 2.3.9 as soon as possible.

Security Issues Addressed in XenForo 2.3.9

The following vulnerabilities have been identified and resolved in this release:

• Prevention of a possible stored XSS (Cross-Site Scripting) exploit related to BB code rendering
  (Thanks to Antisocial)
• Prevention of a possible XSS exploit related to lightbox usage within posts
  (Thanks to UwU)
• Prevention of a possible RCE (Remote Code Execution) exploit via authenticated but malicious administrator accounts
  (Thanks to UwU)

These vulnerabilities could pose a significant security risk if exploited, making XenForo 2.3.9 an essential security update for all self-hosted XenForo installations.

XenForo 2.3.8 is now available for download to all licensed customers. All customers using previous XenForo 2.3 versions are strongly advised to upgrade to this version to benefit from increased stability. Some of the changes in

XenForo 2.3.8 are as follows:

• Fixes the issue of readjusting EXIF orientation information when it's already fixed on the client side.
• Fix some issues related to entity type hints.
• Allow underscores (_) to delimit word names in read-only method names.
• Fix empty user authorized applications list container
• Ensure the language status is always restored when generating event summary emails.
• Fixes the Filter JS query parameter merging issue.
• Allow the creation of passkeys on local hosts.
• Fix the cleanUpInvalidRecords type hint issue.
• The `parse_less_color` template function should always force hexadecimal for non-variable values.
• Fix duplicate result-set hydrate queries.
• Return an early error if the search keyword length is too long.
• Use strict type checks when processing search input.
• In the Profile Posts tab, search and show only posts.
• Use the post content filter and the topic type sub-filter in member topic searches.
• Avoid converting SVGs to raster (bitmap) images.
• Skip the void method return in XF\Cli\Command\AbstractCommand::initialize
• When viewing the list of monitored topics, ensure that invalid page numbers are processed correctly.
• Add to processing for null status messages while jobs are in progress.
• Make sure the access keys are deleted when the relevant user is deleted.
• Fixed missing support for some webhook actions.
• Add the missing defaultname to the xf:avatar and xf:username tags in the report_view template.
• Add HTML support for the `summary_of_what_you_missed_recently` phrase in the `activity_summary` email template.
• Fix an issue where the DKIM signature was preventing List-Unsubscribe headers from being added to emails.
• Require re-authentication before adding or changing the passkey.
• Support for regenerating unfurls when regenerating metadata for supported content types.
• Fixes the issue of not being able to set up TOTP via QR code in Firefox if privacy.resistFingerprinting is enabled.
• Add the missing template annotation for EmbedResolver/AbstractHandler.
• Update the PHPDoc hint \XF\Repository\UserAlertRepository::fastDeleteAlertsForContent to include the int array.
• Improve plugin ID coercing in the plugin manager when multiple plugins are installed.
• When checking the replication status of the read server, ensure the query is sent to the correct connection.
• Support the "listitemclass" attribute when creating checkboxes.
• Try to maintain the sending order in case of unexpected time synchronization issues.
• Add a cache buster directly to attachment URLs.
• Fix the issue that caused the "Process Report" button in an assigned report to not show the save button.
• Skip deleting the style variation preference cookie when you log out.
• An error is thrown when attempting to reconstruct the search index with an invalid type.
• Caching user online counts within the same request reduces query usage.
• Ensure cascadeSave is cleaned up when Entity::_saveCleanUp is called.
• Add protection against the fact that `Request::getIp` sometimes doesn't return a valid IP address.
• Parsing cover images for guests without attachment permissions.
• Pass the criteria object to the criteria_template_data event listeners.
• Skip additional files that don't exist when deleting from the control panel.
• Set the search entity after the searches are executed.
• Add JSDoc for XF.createElement
• Fix some issues with the quote plugin.
• Fix some lingering links leading to twitter.com.
• On the control panel's user settings page, hide the additional contact heading if there is no contact field.
• Remove the pattern attribute from number inputs.
• Fixes DKIM signing issue in XF 2.3
• Correct the missing trailing slash in the link from the privacy policy to the cookie explainer page.
• Workaround for the issue of the Sign In with Apple feature not returning emails (#1199)
• Verify signature counter when using passkey (#1198)
• Throw a clearer error (#1200) if the current host and forum URL do not match when generating or validating the passkey.
• When a user is authenticated with a passcode via the admin panel, they are also allowed to log in to the public forum (#1201)
• Prevent push notifications from being sent to permanently deleted Chrome subscriptions.
• Ensure that failed access key entries are included in the failed access attempt limit (#1207)
• Gmail treats passive inbox bounce messages as hard bounces (#1208)
• Make it easy to override PayPalRest plan parameters (#1209)
• Set tfa_trust cookie when logging in with passkey (#1210)
• Create a directory if it doesn't exist when creating Finder classes (#1211)
• Update PHPDoc for the asVisitor function to better extract return types.
• Reduce notification queuing delay when sending a post.
• Reorganize the deletion and cleaning process; renaming and deleting should be done in a single process.
• Skip caching local URLs when using an image proxy.
• Workaround for potential race conditions when saving bookmark tags.
• Support using a passcode instead of a password.
• Support passing extra spam control data in the user registration service.
• Add basic webhook criteria classes
• Support accessing notification data in Notifier classes.
• Support additional array functions in the templator.
• Clean HTML tags when using description as title in RSS import (#1214)
• Move the XF\BbCodeRenderer\Html::getValidUrl function to a utility function (#1215)
• Throws an error when trying to run a non-existent import step (#1216)
• Add a random string to the DKIM selector (#1217)
• Check for case discrepancies when creating the plugin (#1218)
• Fix TypeError that occurs when sending non-array JSON input (#1223)
• Preventing image uploads even if EXIF processing fails (#1224)
• Fix the issue where the XF.phrase function cannot handle repeated substitutions.
• Fix the display of signatures set to False.
• Fix pagination scrolling behavior on the Received Responses page.
• Fix the scrolling behavior in the quick reply section.
• Correct the reverse logic in the canResize method control.
• Make the plugin archive validator more robust by removing duplicate inference and adding proper JSON validation.
• Finder::getCollectionFromResults does not check if the return hydrateFromGrouped is null.
• Ensure that the option values are converted to the correct data types when being retrieved.
• Correct incorrect operator precedence in template expressions.
• The release builder fails on plugin directories containing symbolic links.
• Email bounce parser now also handles multi-digit status codes (#1240)
• API routes are producing invalid development output.
• Improve CSS delivery efficiency when using caching.
• Only when cropping changes will it prevent unnecessary text from being added to the original avatar.
• Allocate some memory for error reporting.
• In CLI contexts, retrieve protocol and host information from the forum URL.
• Add AbstractCollection support when using the templator's array* functions (#2182)
• Reconfigure the lightbox side panel open/close operation and ensure it's started correctly.

The following publicly available templates have been modified:

• _help_page_privacy_policy
• account_reactions
• account_visitor_menu
• attachment_macros
• bb_code_tag_attach
• core.less
• core_action_bar.less
• embed_resolver_thread
• helper_attach_upload
• lightbox.less
• login_password_confirm
• member_about
• member_macros
• member_recent_content
• member_tooltip.less
• message.less
• message_macros
• news_feed_attached_images
• passkeys_macros
• report_view
• setup.less
• share_page_macros
• tag_macros
• tag_search
• two_step_totp

If necessary, the merge system on the "legacy templates" page should be used to integrate these changes.

Current requirements:
Please note that XenForo 2.3 has higher system requirements than previous versions.

The following are the minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.