Xenforo 2.3.10 (Includes Secrity Fix) Nulled

XenForo 2.3.10 Released

XenForo 2.3.10 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

In addition to the usual bug fixes, XenForo 2.3.10 includes a critical security fix involving a potential stored XSS vector in structured text mentions (mostly legacy profile post content). We'd like to extend thanks to metho for responsibly disclosing the issue.

If you are a XenForo Cloud customer running 2.3.8, the security fix has already been applied and no immediate action is required. XenForo 2.3.10 will be made available to you shortly.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually. See below for further details.

Upload patch files

• Extract the .zip file

• Upload the contents of the upload directory to the root of your XenForo installation

Note: If you decide to patch the file instead of doing full upgrades, your "File health check" will report these files as having "Unexpected contents". Because these files no longer contain the same contents your version of XF was shipped with, this is expected and can be safely ignored.

Some of the changes in XF 2.3.10 include:

• Ensure "View Older Results" link appears on last page of search results

• Ensure "No such recipient" bounce responses are classified as hard bounces

• Ensure "Account Closed" bounce responses are classified as hard bounces

• Ensure "Recipient not found" bounce responses are classified as hard bounces

• Ensure "mailbox is disabled" bounce responses are classified as hard bounces

• Ensure "not configured to receive" bounce responses are classified as hard bounces

• Prevent inet_pton() ValueError when IP address contains null bytes

• Use original Email object for error logging after DKIM signing to prevent undefined method error

• Skip array values during custom field multiselect validation to prevent Array to string conversion warning

• Normalize discouragement delay min/max values to prevent mt_rand() ValueError

• Suppress dns_get_record() warning during DKIM verification to prevent job crash on DNS failure

• Prevent alerts from being sent to banned users

• Correct OAuth2 token revocation to properly invalidate both access and refresh tokens

• Respect direction parameter for multi-column sort ordering in Finder

• Re-enable passkey button when WebAuthn registration or authentication is aborted

• Add missing bookmark_id index to xf_bookmark_label_use table

• Prevent accumulating whitespace in GenerateFinders CLI command on repeated runs

• Avoid exception-based flow control in getFinder for entity class resolution

• Set explicit working directory for sub-processes to prevent failure when CWD is inaccessible

• Prevent type error when custom field type changes with preserved values

• Include purchasable ID in Stripe product and plan ID generation

• [ICODE=rich] does not round-trip after editing a post

• Implement ContainableInterface and DatableInterface on various child content entities

• Create template when generating a route with xf-make:route

Some of the changes in XFMG 2.3.10 include:

• Apply pagination to category content API endpoints

• Catch DuplicateKeyException when setting media watch state to prevent race condition

• Update album last_update_date when content fields change

• Use correct permission check for adding media on what's new page

• Disambiguate content type phrases by prefixing with 'Media'

• Hide search albums tab when albums are globally disabled

• Add lazy loading to gallery media images

• Hide alert opt-outs when user cannot view media gallery

• Delete original file only after transcoded file is successfully saved

The following public templates have had changes:

• xfmg_media_view_macros

• xfmg_whats_new_media

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.0 retail.