CVE-2022-26173: JForum2 / Wiki / NewFeatures281

New and changed features in JForum 2.8.1

Information about upgrading from JForum version 2.8.0 to 2.8.1 can be found at Upgrading to JForum 2.8.1

New Features and fixes

• fixed CSRF vulnerability
• more control over image attachments from Configurations page
• various font and background colors can be configured from the Configurations page
• optimize Recent Topics and Hot Topics for large installations
• fixed issue where the last visited time on the forum home page was not actually reflecting that, but the time of the last session start
• switch Google Analytics integration from analytics.js to gtag.js

Libraries

• updated Apache Lucene from 8.10.1 to 8.11.1
• updated Apache PDFBox from 2.0.24 to 2.0.26
• updated EventBus from 3.2.0 to 3.3.1
• updated JDOM2 from 2.0.6 to 2.0.6.1
• updated JSoup from 1.14.3 to 1.15.1
• updated Microsoft SQLServer driver from 9.4.0 to 10.2.1
• updated MySQL driver from 8.0.27 to 8.0.29
• updated Oracle driver from 21.3.0.0 to 21.5.0.0
• updated PrettyTime from 5.0.2 to 5.0.3
• updated PostgreSQL driver from 42.3.1 to 42.3.6
• updated slf4j from 1.7.32 to 1.7.36
• added YAUAA 7.1.0 (instead of pieroxy) for user agent detection
• updated several Maven plugins

New Configurations

Entry name

Default value

Description

attachments.images.thumb.hover.show

false

Whether to show the full-sized image as a popup when hovering over an image thumbnail. This causes all images to be downloaded in full size - which may not be wanted.

color.orange

#ffa34f

Orange font color

color.darkblue

#01336b

Dark blue font color

color.lightgray

#dee3e7

Light gray background color

color.verylight

#fafafa

Very light background color

color.quitelight

#f7f7f7

Quite light background color

Database Schema

These indexes speed up operations on large JForum installation, but are optional.

CREATE INDEX idx_topics_views ON jforum_topics(topic_views);
CREATE INDEX idx_topics_replies ON jforum_topics(topic_replies);