Security Release
This is a security release to address a vulnerability where the registration form could be manipulated to gain access to additional roles.
Upgrade is very strongly advised if your instance has user registration enabled.
Thanks to Kwonyong Lee (LinkedIn) for responsibly reporting this issue.
Also thanks to Boustani OSAMA (LinkedIn) for also reporting this before public announcement.
Full List of Changes
- Updated user creation to only use validated input from registration.
- Updated PHP package versions.
- Updated translations with latest Crowdin changes. (#6064)
- Updated PHP_CodeSniffer repository link. Thanks to @rodrigoprimo. (#6060)
- Updated WYSIWYG editors to have consistent collapsible block double click behavior. (#6059)