Update: WoltLab Suite 5.4.15 / 5.3.21 / 5.2.20 / 3.1.28

Welcome To Extralicense, Forum Promotion, SEO, Domain Names, Hosting & More!

Buy, sell trade your licenses,Connect with fellow webmasters. Grow your network. Learn and share with us!


Likes To Be Here!
Community Leader
Valued Member
Oct 20, 2019
Mar 17th 2022
Official Post

We just released updates for our products:
  • WoltLab Suite 5.4.15
  • WoltLab Suite 5.3.21
  • WoltLab Suite 5.2.20
  • WoltLab Suite 3.1.28
Stability and bug fix releases (the 3rd digit of the version number, also known as "patch releases") only fix bugs in the current version and do not introduce any new features. It is strongly recommended to apply these updates.

safety notice​

We have been made aware that in the event of an error in the cron job log, an unwanted execution of HTML can occur. This can occur when a cron job, for example, retrieves data from an HTML page and, in the event of an error, stores HTML code as an error message, for example. As far as we know, this vulnerability cannot be specifically exploited by an attacker. Many thanks to SoftCreatR for bringing this problem to our attention.

We have also received reports that a so-called "Self-XSS" attack can occur when uploading file attachments with specially prepared file names. This can only be exploited under Linux and macOS, Windows generally does not allow the necessary characters in the file name. The impact is limited to the user himself at the time of uploading, there are no other impacts. In principle, this vulnerability cannot be exploited to attack other users or visitors to the site.

All installations of WoltLab Cloud customers have already been updated.

Updating an existing installation​

Open the administration interface and call Konfiguration > Pakete > Pakete auflistenup the menu item. Then click on the button Updates suchen, you will find this on the right above the package listing.

Significant Changes​

Please note that the list below contains only the most important changes. Minor corrections (including typos) are not listed separately.

WoltLab Suite Calendar​

  • When changing to another month, the filter by labels was discarded.5.4
  • Label groups could erroneously be set only for the first levels of categories.5.4

WoltLab Suite Filebase​

  • Label groups could erroneously be set only for the first levels of categories.5.4
  • An incorrect message was generated when calling a non-existent file.5.4 5.3
  • Deactivated versions can now also be viewed by the “other authors” of a file.5.4

WoltLab Suite Forum​

  • Creating direct links to a filtered topic list could in rare cases create invalid links.5.4

WoltLab Suite Core: Importer​

  • vBulletin 5.x
    • Fixed importing Argon2 passwords.

WoltLab Suite Core​

  • (SECURITY) : HTML in the error message of failed cronjobs is now correctly escaped in the cronjob log.5.4 5.3 5.2 3.1
  • (SECURITY) : HTML is now properly escaped in the filename display during the upload of a file attachment. After completing the upload and editing content (e.g. post), the behavior was already correct.5.4 5.3 5.2 3.1
  • Fixed mentioning usergroups with non-latin letters.5.4
  • Reverted auto-expanding blocked content on direct link in WoltLab Suite 5.4.14 as it had unexpected impact on user experience.5.4
  • Links pasted into the editor on iOS and Android no longer end up at the beginning of the text.5.4
  • Fixed detection of IPv4 addresses with the StopForumSpam integration.5.4 5.3
  • Empty user profile fields of type labeledUrlare no longer displayed in the profile.5.4
  • Fixed handling search terms in quotes when using MySQL-based search.5.4
  • The rich embeds now ignore all non-HTTP links instead of trying to fetch them unsuccessfully.5.4
  • Unknown encodings of the retrieved website no longer cause an error message to be logged in rich embeds.5.4
  • Label groups could erroneously be set only for the first levels of categories.5.4
  • The user experience when selecting objects (e.g. a forum section) to configure a menu item has been improved.5.4
  • Highlighting citable texts on Android / Chrome Mobile no longer causes the whole page to be highlighted when hovering over the cite menu.5.4
  • When submitting a form with incorrect input, the correct tab was not opened automatically.5.4
  • Searching profile fields with decimal numbers now normalizes the user's localized search input.5.4
  • Improved error message for invalid input for integer profile fields.5.4
  • Words shorter than the minimum length to be included in the MySQL search index are no longer enforced. Without this change, the search results were filtered out in which the words appeared alone and only returned results in which these words appeared as part of a word.5.4
  • For developers: Bug fixes on the Dev Tools.5.4
  • For developers: Disabled input fields for the date picker were not correctly initialized.5.4
  • For developers: The escape key in dialogs now triggers the callback for onBeforeClose.5.4
  • For developers: Error handling for erroneous $limitand $offsetparameters in ->prepare()and ->prepareStatement()has been improved.5.4 5.3