We are pleased to announce the release of phpBB 3.2.11 "The Name of the Bertie". This version is a security release of the 3.2.x branch which fixes one security issue, and introduces further hardening.
Previous versions of phpBB starting with 3.2.0 adjusted the way formatting was removed in the strip BBCode function. If this function was used in extensions it could potentially lead to HTML entities being decoded and encoded unexpectedly and therefore result in reflected XSS. We’d like to thank n0bodysec for responsibly disclosing this to us.
Further hardening has been introduced to the ACP configuration settings for the Jabber functionality. The page will no longer output the communication content while adjusting settings. We’d like to thank Cory Billington for reporting this issue to us via HackerOne.
As you might be aware, the 3.2 branch has almost approached its End of Life and will not receive further security updates after November 7th, 2020. We’d like to remind everyone to upgrade to phpBB 3.3 as soon as possible.
The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.11 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15490
The packages can be downloaded from our downloads page.
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team
- Invalid conversion of HTML entities when stripping BBCode
- Reduce verbosity of jabber output in ACP