Firstly, despite our best efforts and a full security audit of the 3.1 codebase by SektionEins, Dingjie Yang of Qualys, Inc. discovered an XSS vulnerability that may be utilized against users of older browsers. Our tests indicate that this does not seem to affect major browsers released after 2009, making all browsers officially supported by phpBB 3.1 immune and around 99.9% of phpBB.com visitors unaffected. Nevertheless, we are not taking any chances and urge everyone to update. Thanks to Mr. Yang for bringing this to our attention.
Secondly, we are removing the "Send a copy of this email to yourself" feature from the contact page for guests to avoid it being used for sending undesired emails from the board.
Lastly, we are fixing several usability issues that were preventing some users from having a smooth experience while updating from 3.0 to 3.1. The notable ones are:
- If a user's selected style no longer exists, attempt to reset to an existing style.
- Fix auth provider errors for forums that migrated from other forum software.
- Improve and correct update instructions and documentation.
If you have any questions or comments, we'll be happy to address them in the discussion topic
- The phpBB Team