XenForo 2.3 Full Install

The issues identified are as follows:
Prevention of a possible stored XSS (cross-site scripting) exploit related to BB code rendering (thank you to Antisocial)
Prevention of a possible XSS exploit related to lightbox usage in posts (thank you UwU)
Prevention of a possible RCE (remote code execution) exploit via authenticated, but malicious, admin users (thank you UwU)
If you are a XenForo Cloud customer, fixes for these issues have been rolled out automatically, and no further action is required to address them.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually. See below for further details.
Upload patch files​
Download 239-patch.zip
Extract the .zip file
Upload the contents of the upload directory to the root of your XenForo installation
Rebuild master data by logging in to your install URL, or running xf:rebuild-master-data on the command line
If you are a XenForo Cloud customer, your installations have already been patched and no further action is required. You will remain on version 2.3.8 until 2.3.10 is released.

The following public templates have had changes:
attachment_macros
bb_code_tag_attach
lightbox_macros
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

The following are minimum requirements:
PHP 7.2 or newer (PHP 8.3 recommended)
MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
All of the official add-ons require XenForo 2.3.
Enhanced Search requires at least Elasticsearch 7.2.

XenForo 2.3.8 is now available for all Nulled customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

XenForo 2.3.8 also includes a number of smaller new features and improvements which you can read about here:

Some of the changes in XF 2.3.8 include:
Fix a potential denial of service bug related to pre-registration actions flooding. Thank you @vbresults!
Fix an issue where EXIF orientation would be set when already adjusted client-side
Fix some issues with entity type hinting
Allow underscore word boundaries in read-only method names
Fix empty user authorized applications list container
Ensure language state is always restored in between generating activity summary emails
Fix filter JS query parameter concatenation
Allow passkey creation on local hosts
Fix cleanUpInvalidRecords type hint
Always coerce parse_less_color template function to hex for non-variable values
Fix duplicate result-set hydration queries
Return an error early when search keyword lengths are too long
Use strict type checks when processing search input
Only search and display posts on the profile postings tab
Use post content filter and thread type sub-filter for member thread search
Avoid converting SVGs to rasterised images
Skip void method return in XF\Cli\Command\AbstractCommand::initialize
Ensure invalid page numbers are handled correctly when viewing the watched threads list
Add handling for null status message values when resuming jobs
Ensure passkeys are deleted when the associated user is deleted
Fix missing support for some webhook actions
Add missing defaultname to xf:avatar and xf:username tags in the report_view template
Support HTML for the summary_of_what_you_missed_recently phrase in the activity_summary email template
Fix DKIM signing preventing List-Unsubscribe headers from being added to emails
Require re-authentication before allowing passkey additions or modifications
Support rebuilding unfurls when rebuilding metadata for supported content types
Fix not being able to setup TOTP on Firefox via QR code if privacy.resistFingerprinting is enabled
Add missing template annotation to EmbedResolver/AbstractHandler
Update docblock hint on \XF\Repository\UserAlertRepository::fastDeleteAlertsForContent to include array of ints
Improve add-on manager performance when coercing add-on IDs with a significant number installed
When checking the replication status of a read server, make sure the query is properly sent to the read connection
Support the "listitemclass" attribute when rendering checkboxes
Try to preserve post ordering when there's an unexpected time sync issue
Include a cache buster on direct attachment URLs
Fix issue preventing "Handle report" button on an assigned report not revealing the save button
Skip deleting style variation preference cookie on logout
Throw an error if trying to rebuild search index with an invalid type
Cache user online counts in the same request to reduce query usage
Ensure _cascadeSave is cleared out when Entity::_saveCleanUp is called
Guard against Request::getIp not returning a valid IP in some cases.
Do not resolve attachment cover images for guests with no attachment permissions
Pass criteria object to criteria_template_data event listeners
Skip non-existent attachments when deleting from the control panel
Set up search entity after searches have been executed
Add JSDoc to XF.createElement
Fix some issues with the quote plugin
Correct some lingering links to twitter.com
Hide additional contact heading from control panel user edit page when there are no contact user fields
Remove pattern attribute from number inputs
Fix DKIM signing in XF 2.3
Fix missing trailing slash when linking to cookies explainer from privacy policy
Workaround issue where Sign in with Apple might not return an email (#1199)
Validate signature counter when using a passkey (#1198)
Throw a clearer error when the current host and board URL do not match when creating or authenticating with passkeys (#1200)
Log users in to the public forum when authenticating with passkeys via the admin panel (#1201)
Inhibit sending push notifications to permanently removed Chrome subscriptions
Ensure failed passkey logins count towards failed login attempts limit (#1207)
Process Gmail inactive inbox bounce messages as a hard bounce (#1208)
Make it easier to override PayPalRest plan parameters (#1209)
Set tfa_trust cookie when logging in with a passkey (#1210)
Create Finder directory if one does not exist when generating finder classes (#1211)
Update PHPDoc for asVisitor function to better infer return types
Reduce notification enqueuing delay when submitting posts
Refactor delete clean up process to ensure rename and delete happens in one process
Skip caching local URLs when using the image proxy
Workaround potential race condition when saving bookmark labels
Support using passkeys in place of password confirmations
Support passing extra spam check data in the user registration service
Add base webhook criteria classes
Support accessing notification data in Notifier classes
Add additional array functions to the templater
Strip HTML tags when using the description as a title for an import from an RSS feed (#1214)
Move XF\BbCodeRenderer\Html::getValidUrl functionality to a utility function (#1215)
Throw an error if attempting to run an import step that does not exist (#1216)
Include random string with DKIM selector (#1217)
Check for case-mismatches when creating add-ons (#1218)
Fix TypeError when non-array JSON input is submitted (#1223)
Don't block image upload if EXIF processing fails (#1224)
Fix issue where XF.phrase function was not able to handle repeated replacements
Fix display of signatures set to falsey values
Fix pagination scrolling behaviour for reactions received page
Fix quick reply scroll-to-post behaviour
Fix inverted logic in canResize method check
Made add-on archive validator more robust by eliminating double extraction and adding proper JSON validation
Finder::getCollectionFromResults doesn't check hydrateFromGrouped's return result is not null
Ensure option values are cast to their proper data types when retrieved
Incorrect operator precedence in template expressions
Release builder fails with symlinked add-on directories
Email bounce parser now handles multi-digit status codes (#1240)
API routes generate invalid development output
Improve delivery efficiency of CSS when using a cache
Avoid unnecessary write of original avatar when only crop changes
Reserve some memory for error reporting
Pull protocol and host from board URL in CLI contexts
Add support for AbstractCollection when using the Templater's array_* functions (#2182)
Refactor lightbox sidebar toggle handling and ensure proper initialization

The following public templates have had changes:
_help_page_privacy_policy
account_reactions
account_visitor_menu
attachment_macros
bb_code_tag_attach
core.less
core_action_bar.less
embed_resolver_thread
helper_attach_upload
lightbox.less
login_password_confirm
member_about
member_macros
member_recent_content
member_tooltip.less
message.less
message_macros
news_feed_attached_images
passkeys_macros
report_view
setup.less
share_page_macros
tag_macros
tag_search
two_step_totp
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.

Current requirements​
Please note that XenForo 2.3 has higher system requirements than earlier versions.

The following are minimum requirements:
PHP 7.2 or newer (PHP 8.3 recommended)
MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
All of the official add-ons require XenForo 2.3.
Enhanced Search requires at least Elasticsearch 7.2.