We've released a security update for Invision Community 4.7.20 and Invision Community 5.0.7

We recommend that all those using Invision Community update to the latest version as soon as possible.

Please note that Invision Community Cloud and Enterprise customers on either v4 or v5 already have this security update applied.

What does this update do?

This update fixes two issues in Invision Community 4.7.20 and one in Invision Community 5.0.7. We will update this topic with more information when we're confident most customers have upgraded.

These issues were reported to us by Egidio Romano from Karma(In)Security. We thank Egidio for reporting these issues to us as always.

I'm using the self hosted version (Invision Community Classic) on a version older than the latest, what should I do?

You can upgrade to the latest versions of 4.7.20 or 5.0.7 via the AdminCP. Follow the instructions in the banner to upgrade to the latest version which has been updated to include the security update.

I'm using Invision Community 5.0.8 Beta 1, what should I do?

You can upgrade to Invision Community 5.0.8 Beta 2.

I'm using Invision Community Cloud, what should I do?

You don't need to do anything. All packages except Invision Community Classic are already protected even if you're not on the latest version.

If you have any questions, let me know!

Hey @Matt , it's a nice facility within the AdminCP that it auto-detects the version differences (based on the underlying code perspective) and adds a banner to update. The only caveat in this instance is there is already a version 4.7.20 and now a new patched version 4.7.20, there should never be two 4.7.20 versions.

IC seems to follow semver in convention but not practice, as this security fix should have probably been 4.7.21, but I see there is already a 4.7.21 in Beta (https://invisioncommunity.com/release-notes/4721-beta-1-r133/). Given that, this security patch should have been 4.7.22 and that existing 4.7.21 beta never goes beyond beta but instead gets merged into a new 4.7.23. I know it can be a pain to manage, but this would make it clear as to what is included in what version and also display properly in the AdminCP (although the banner helps allude to which version of 4.7.20 is actively running in this case, but that isn't good practice).

And thanks to Egidio Romano for identifying the security issue! 👍

The IN_DEV files for the latest 4.7.20 (patch 3) and 4.7.21 B1 don't work:

Version does not exist.

I get a "error downloading update" message for the 4.7.20 version, whereupon I'm asked to upload the files to the server manually and click continue when ready. Where exactly do I upload them, though? Initially I uploaded the ZIP file to forums root directory, and then I tried the unzipped folder, but both were greeted with "no applications to upgrade". So I'm presuming that I didn't upload the files to the correct location. What am I supposed to do?

Kev

Upgraded without a hitch over here.

Thanks Matt.

Upgrade done without any issue, well done.

I'm currently running 4.7.20 (self-hosted), and this upgrade has rendered all of my custom forum read/unread icons invisible in my dev instance. Re-uploading the icons doesn't resolve, and I can only get the 'unread' icon to reappear upon clicking "Mark site read". After doing so, my unread icons are again invisible after a new post is made until I read the new post, at which point, I get the unread icon again. So the update effectively renders all unread forum icons invisible.

These icons have been in use and working for over ten years, so unless there's been an undisclosed change to the icon format specifications, there's an issue.

Clearing the cache has no impact.

TIA for any suggestions.

Edited May 21May 21 by z929669

1 hour ago, z929669 said:

Clearing the cache has no impact.

Did you clear caches in your AdminCP → System → Support → Get Support → Clear System Caches, or are talking about your browser's cache?

9 minutes ago, Gary said:

Did you clear caches in your AdminCP → System → Support → Get Support → Clear System Caches, or are talking about your browser's cache?

I meant from the ACP: AdminCP → System → Support → Get Support → Clear System Caches

But I've also hard refreshed and cleared browser caches using Firefox, Chrome, and Edge.

Cool, just double checking. 😇

11 hours ago, Clover13 said:

Hey @Matt , it's a nice facility within the AdminCP that it auto-detects the version differences (based on the underlying code perspective) and adds a banner to update. The only caveat in this instance is there is already a version 4.7.20 and now a new patched version 4.7.20, there should never be two 4.7.20 versions.

IC seems to follow semver in convention but not practice, as this security fix should have probably been 4.7.21, but I see there is already a 4.7.21 in Beta (https://invisioncommunity.com/release-notes/4721-beta-1-r133/). Given that, this security patch should have been 4.7.22 and that existing 4.7.21 beta never goes beyond beta but instead gets merged into a new 4.7.23. I know it can be a pain to manage, but this would make it clear as to what is included in what version and also display properly in the AdminCP (although the banner helps allude to which version of 4.7.20 is actively running in this case, but that isn't good practice).

And thanks to Egidio Romano for identifying the security issue! 👍

I hear what you're saying but our build system is pretty fixed in its ways. When we release a new build ID (107803) as a git tag, we can name it either something new (4.7.21) or call it the same as the current release and then it'll be detected as a patch. A patch is often an easier path for customers because a full release (new human ID) would mean you'd have to run the upgrader. Also we tend to assign out human IDs a little in advance, so we have a lot of 4.7.21 already done by the time we needed to make a patch, which would mean we'd need to mess with tags in git to reset them to new IDs.

For example, with 5.0.7, we already had a 5.0.8 in beta testing.

We are looking to improve the patch system so that they are surfaced to the dashboard so it is more clear.

5 hours ago, z929669 said:

I'm currently running 4.7.20 (self-hosted), and this upgrade has rendered all of my custom forum read/unread icons invisible in my dev instance. Re-uploading the icons doesn't resolve, and I can only get the 'unread' icon to reappear upon clicking "Mark site read". After doing so, my unread icons are again invisible after a new post is made until I read the new post, at which point, I get the unread icon again. So the update effectively renders all unread forum icons invisible.

These icons have been in use and working for over ten years, so unless there's been an undisclosed change to the icon format specifications, there's an issue.

Clearing the cache has no impact.

TIA for any suggestions.

There hasn't been a chance in unread icons. The changes were for the oauth call back endpoint and calendar events.

9 hours ago, Large Scale Planes said:

I get a "error downloading update" message for the 4.7.20 version, whereupon I'm asked to upload the files to the server manually and click continue when ready. Where exactly do I upload them, though? Initially I uploaded the ZIP file to forums root directory, and then I tried the unzipped folder, but both were greeted with "no applications to upgrade". So I'm presuming that I didn't upload the files to the correct location. What am I supposed to do?

Kev

Do you get this resolved? Just upload the files from the zip to the your server, overwriting the existing files.

Apparently the 4.7.21 beta isn't right I upgraded and in my admin it says 5.0.8 beta 2 its not 4.7.21 beta 1 so I assume someone uploaded the wrong version.

5 minutes ago, Drewfus said:

Apparently the 4.7.21 beta isn't right I upgraded and in my admin it says 5.0.8 beta 2 its not 4.7.21 beta 1 so I assume someone uploaded the wrong version.

Me - should upgrade v4.7.20 to v4.7.21 Beta 1 and installed v5.0.8 Beta 2 (manually upgraded - not throught admin cp)

I m trying to re install everything since this security update brok everithing 😵

Not whats happening to me I downloaded the 4.7.21 beta 1 from client area and it install 5.0.8.beta 2 instead of 4.7.21 beta 1

Just now, SoloInter said:

I m trying to re install everything since this security update brok everithing 😵

If you are reverting, you should revert to backup, rather than installing. Its worth noting there, that it seems you have development builds switched on, and so when you upgraded it upgraded to the latest beta rather than the latest stable. So you have issue with a test release unfortunately.

Ok ... kill me please

What is it you are doing to revert there? You should be

• Restoring the database from your backup taken prior to upgrade

• Restoring your files from your backup

You dont need to do an install here. Although to be honest, based on what I was seeing on your site, and mentioned on your ticket, it looks to be a permissions issue

@Marc works fine from admin but the file in client area is 5.0.8 beta 2 not 4.7.21 beta 1

4 minutes ago, Drewfus said:

@Marc works fine from admin but the file in client area is 5.0.8 beta 2 not 4.7.21 beta 1

This has been fixed 🎉

ok thank you

4 hours ago, Matt said:

I hear what you're saying but our build system is pretty fixed in its ways. When we release a new build ID (107803) as a git tag, we can name it either something new (4.7.21) or call it the same as the current release and then it'll be detected as a patch. A patch is often an easier path for customers because a full release (new human ID) would mean you'd have to run the upgrader. Also we tend to assign out human IDs a little in advance, so we have a lot of 4.7.21 already done by the time we needed to make a patch, which would mean we'd need to mess with tags in git to reset them to new IDs.

For example, with 5.0.7, we already had a 5.0.8 in beta testing.

We are looking to improve the patch system so that they are surfaced to the dashboard so it is more clear.

Regarding the patch to 4.7.20, it did seem to run the full upgrader on my sites (assuming by full upgrade you mean when all of the templates/CSS files, database, etc are going through batches of checks and updates)

10 minutes ago, Clover13 said:

Regarding the patch to 4.7.20, it did seem to run the full upgrader on my sites (assuming by full upgrade you mean when all of the templates/CSS files, database, etc are going through batches of checks and updates)

It can depend on a few factors, it decides whether it needs to run the full upgrade process when applying (a patch is effectively just another full build of the community). I have made some adjustments to minimise the possibility the full upgrade runs for this (since it's not really needed).

Anyone else experiencing errors after patch?

I'm running standalone version and after the patch in Admin CP i have the following error: "There was an error loading the hook scanner results."

On the forum I have following error: "

SELECT main.* FROM ibf_core_search_index AS main WHERE ( index_class='IPS\forums\Topic\Post' OR ( index_class IN('IPS\\calendar\\Event','IPS\\calendar\\Event\\Comment','IPS\\calendar\\Event\\Review') ) OR ( index_class IN('IPS\\gallery\\Image','IPS\\gallery\\Image\\Comment','IPS\\gallery\\Image\\Review') ) OR ( index_class IN('IPS\\gallery\\Album\\Item','IPS\\gallery\\Album\\Comment','IPS\\gallery\\Album\\Review') ) ) AND ( ( index_class='IPS\forums\Topic\Post' AND index_is_last_comment=1 ) OR ( ( index_class IN('IPS\\calendar\\Event','IPS\\calendar\\Event\\Comment','IPS\\calendar\\Event\\Review') ) AND index_is_last_comment=1 ) OR ( ( index_class IN('IPS\\gallery\\Image','IPS\\gallery\\Image\\Comment','IPS\\gallery\\Image\\Review') ) AND (( index_container_class IN('IPS\\gallery\\Category') ) OR ( index_class IN('IPS\\gallery\\Image\\Comment','IPS\\gallery\\Image\\Review') )) AND index_is_last_comment=1 ) OR ( ( index_class IN('IPS\\gallery\\Album\\Item','IPS\\gallery\\Album\\Comment','IPS\\gallery\\Album\\Review') ) AND index_is_last_comment=1 ) ) AND ( ( ( index_class IN('IPS\\forums\\Topic','IPS\\forums\\Topic\\Post') ) AND (( index_container_id=2 AND index_date_updated > 1718561096) OR ( index_container_id=4 AND index_date_updated > 1692465426) OR ( index_container_id=8 AND index_date_updated > 1636493889) OR ( index_container_id=20 AND index_date_updated > 1737032488) OR ( index_container_id=22 AND index_date_updated > 1687600714) OR ( index_container_id=23 AND index_date_updated > 1636312253) OR ( index_container_id=24 AND index_date_updated > 1672948344) OR ( index_container_id=29 AND index_date_updated > 1683952301) OR ( index_container_id=36 AND index_date_updated > 1705682767) OR ( index_container_id=37 AND index_date_updated > 1639155967) OR ( index_container_id=38 AND index_date_updated > 1729487330) OR ( index_container_id=40 AND index_date_updated > 1628566535) OR ( index_container_id=41 AND index_date_updated > 1626557673) OR ( index_container_id=42 AND index_date_updated > 1739299426) OR ( index_container_id=44 AND index_date_updated > 1681676068) OR ( index_container_id=46 AND index_date_updated > 1637238104) OR ( index_container_id=49 AND index_date_updated > 1682833223) OR ( index_container_id=53 AND index_date_updated > 1680603937) OR ( index_container_id=62 AND index_date_updated > 1682519951) OR ( index_container_id=68 AND index_date_updated > 1741287491) OR ( index_container_id=74 AND index_date_updated > 1732205943) OR ( index_container_id=77 AND index_date_updated > 1632146208) OR ( index_container_id=81 AND index_date_updated > 1684232457) OR ( index_container_id=83 AND index_date_updated > 1705567427) OR ( index_container_id=88 AND index_date_updated > 1680720299) OR ( index_container_id=89 AND index_date_updated > 1636489976) OR ( index_container_id=90 AND index_date_updated > 1645270061) OR ( index_container_id=91 AND index_date_updated > 1644351728) OR ( index_container_id=92 AND index_date_updated > 1633096739) OR ( index_container_id=93 AND index_date_updated > 1626557673) OR ( index_container_id=94 AND index_date_updated > 1628082771) OR ( index_container_id=95 AND index_date_updated > 1636312853) OR ( index_container_id=96 AND index_date_updated > 1634472256) OR ( index_container_id=97 AND index_date_updated > 1637338783) OR ( index_container_id=98 AND index_date_updated > 1688245524) OR ( index_container_id=99 AND index_date_updated > 1628608780) OR ( index_container_id=100 AND index_date_updated > 1633760478) OR ( index_container_id=101 AND index_date_updated > 1647778633) OR ( index_container_id=103 AND index_date_updated > 1631624552) OR ( index_container_id=104 AND index_date_updated > 1639562338) OR ( index_container_id=105 AND index_date_updated > 1651770693) OR ( index_container_id=108 AND index_date_updated > 1636202505) OR ( index_container_id=109 AND index_date_updated > 1626557673) OR ( index_container_id=111 AND index_date_updated > 1626874557) OR ( index_container_id=113 AND index_date_updated > 1717909645) OR ( index_container_id=114 AND index_date_updated > 1717909647) OR ( index_container_id=115 AND index_date_updated > 1723057103) OR ( index_container_id=116 AND index_date_updated > 1717909645) OR ( index_container_id=117 AND index_date_updated > 1717909645) OR ( index_container_id=118 AND index_date_updated > 1717909647) OR ( index_container_id=119 AND index_date_updated > 1717909647) OR ( index_container_id=120 AND index_date_updated > 1717909647) OR ( index_container_id=122 AND index_date_updated > 1717909648) OR ( index_container_id=124 AND index_date_updated > 1717909648) OR ( index_container_id=125 AND index_date_updated > 1717909648) OR ( index_container_id=126 AND index_date_updated > 1717909648) OR ( index_container_id=127 AND index_date_updated > 1717909648) OR ( index_container_id=129 AND index_date_updated > 1626557673) OR ( index_container_id=130 AND index_date_updated > 1733403608) OR ( index_container_id=132 AND index_date_updated > 1638289234) OR ( index_container_id=133 AND index_date_updated > 1678004169) OR ( index_container_id=134 AND index_date_updated > 1644233635) OR ( index_container_id=135 AND index_date_updated > 1698988902) OR ( index_container_id=136 AND index_date_updated > 1682625299) OR ( index_container_id=140 AND index_date_updated > 1680031515) OR ( index_container_id=141 AND index_date_updated > 1642600246) OR ( index_container_id=142 AND index_date_updated > 1747751697) OR ( index_container_id=144 AND index_date_updated > 1637741324) OR ( index_container_id=145 AND index_date_updated > 1721976168) OR ( index_container_id=147 AND index_date_updated > 1698513850) OR ( index_container_id=152 AND index_date_updated > 1700635687) OR ( index_container_id=153 AND index_date_updated > 1684004767) OR ( index_container_id=154 AND index_date_updated > 1684179914) OR ( index_container_id=157 AND index_date_updated > 1715758906) OR ( index_date_updated > 1626557673 AND ( index_container_id NOT IN(2,4,8,20,22,23,24,29,36,37,38,40,41,42,44,46,49,53,62,68,74,77,81,83,88,89,90,91,92,93,94,95,96,97,98,99,100,101,103,104,105,108,109,111,113,114,115,116,117,118,119,120,122,124,125,126,127,129,130,132,133,134,135,136,140,141,142,144,145,147,152,153,154,157) ) )) AND ( index_item_id NOT IN (2760,4722,6581,7409,10755,10971,13219,13220,15489,17781,19323,27539,28583,28605,29796,32690,32932,36648,37292,38557,39768,41409,42245,43163,44934,44947,45034,45944,46169,46485,47080,47376,47679,47864,48339,48543,48975,50237,50317,50726,50948,50988,51407,51897,52301,52523,53276,53366,53671,53791,54029,54038,54045,54070,54404,54482,54508,54655,54719,54808,54927,54944,54974,54986,55122,55160,55194,55198,55370,55395,55430,55485,55508,55573,55594,55740,55766,55860,55869,55891,55952,55992,56069,56108,56138,56290,56394,56840,56892,56906,56910,56923,56924,57078,57372,57417,57453,57485,57554,57692,57731,57761,57803,57828,57847,57886,57891,57915,57936,57968,58089,58157,58160,58212,58216,58268,58307,58316,58358,58366,58371,58373,58417,58428,58442,58476,58506,58549,58553,58634,58645,58694,58702,58718,58732,58741,58757,58763,58768,58775,58791,58794,58796,58800,58829,58836,58840,58852,58853,58855,58860,58873,58878,58883,58887,58889,58890,58896,58901,58912,58913,58917,58927,58939,58943,58946,58953,58960,58966,58973,58981,59002,59004,59011,59012,59013,59014,59017,59020,59028,59033,59051,59054,59055,59098,59104,59106,59112,59128,59136,59143,59147,59157,59192,59193,59201,59205,59206,59213,59214,59216,59237,59242,59244,59253,59259,59260,59261,59271,59275,59276,59286,59291,59292,59293,59295,59297,59301,59302,59310,59311,59312,59314,59318,59319,59321,59327,59328,59332,59335,59342,59344,59345,59346,59352,59354,59363,59373,59415,59416,59417,59419,59424,59429,59432,59437,59440,59442,59446,59450,59451,59455,59456,59457,59460,59461,59462,59465,59477,59478,59482,59507,59509,59521,59522,59523,59529,59532,59538,59540,59542,59544,59545,59546,59547,59559,59564,59565,59566,59573,59605,59607,59609,59617,59625,59626,59635,59642,59644,59650,59652,59664,59668,59675,59696,59704,59706,59708,59711,59720,59721,59736,59738,59747,59756,59758,59811,59812,59813,59814,59853,59871,59894,59917,59935,59943,59968,59971,59975,59983,60015,60028,60031,60045,60074,60080,60084,60094,60102,60131,60141,60157,60164,60168,60178,60187,60218,60229,60231,60238,60241,60261,60283,60291,60296,60298,60300,60333,60337,60341,60342,60343,60346,60349,60352,60356,60357,60361,60364,60366,60369,60381,60387,60389,60402,60406,60414,60424,60426,60441,60454,60476,60482,60483,60498,60500,60501,60512,60514,60517,60519,60522,60541,60547,60548,60558,60560,60570,60571,60573,60574,60575,60591,60594,60605,60611,60617,60619,60622,60625,60626,60628,60629,60632,60634,60637,60639,60641,60656,60675,60680,60692,60694,60699,60701,60706,60708,60709,60714,60716,60721,60725,60728,60729,60731,60735,60736,60738,60746,60747,60749,60755,60758,60761,60767,60770,60771,60773,60779,60782,60788,60791,60796,60798,60814,60818,60820,60824,60825,60828,60830,60831,60834,60835) ) ) OR ( ( index_class IN('IPS\\calendar\\Event','IPS\\calendar\\Event\\Comment','IPS\\calendar\\Event\\Review') ) AND (( index_date_updated > 1626557673)) ) OR ( ( index_class IN('IPS\\gallery\\Image','IPS\\gallery\\Image\\Comment','IPS\\gallery\\Image\\Review') ) AND (( index_container_id=1 AND index_date_updated > 1702106463) OR ( index_container_id=2 AND index_date_updated > 1626557673) OR ( index_date_updated > 1626557673 AND ( index_container_id NOT IN(1,2) ) )) AND ( index_item_id NOT IN (3424,3425,3426,3427,3428,3429,3430,3431,3432) ) ) OR ( ( index_class IN('IPS\\gallery\\Album\\Item','IPS\\gallery\\Album\\Comment','IPS\\gallery\\Album\\Review') ) AND (( index_container_id=1 AND index_date_updated > 1702106463) OR ( index_container_id=2 AND index_date_updated > 1626557673) OR ( index_date_updated > 1626557673 AND ( index_container_id NOT IN(1,2) ) )) ) ) AND ( index_permissions = '*' OR ( FIND_IN_SET(4,index_permissions) OR FIND_IN_SET('m9000',index_permissions) OR FIND_IN_SET('ca',index_permissions) OR FIND_IN_SET('cm',index_permissions) ) ) AND index_date_updated>1716300177 ORDER BY index_date_commented DESC LIMIT 0,25

IPS\Db\Exception: Table './c8rkhforum/ibf_core_search_index' is marked as crashed and last (automatic?) repair failed (144)

#0 /home/rkh/web/forum/system/Db/Select.php(407): IPS\_Db->preparedQuery()

#1 /home/rkh/web/forum/system/Db/Select.php(465): IPS\Db\_Select->runQuery()

#2 [internal function]: IPS\Db\_Select->rewind()

#3 /home/rkh/web/forum/system/Content/Search/Mysql/Query.php(1360): iterator_to_array()

#4 /home/rkh/web/forum/applications/core/modules/front/discover/streams.php(410): IPS\Content\Search\Mysql\_Query->search()

#5 /home/rkh/web/forum/system/Dispatcher/Controller.php(118): IPS\core\modules\front\discover\_streams->manage()

#6 /home/rkh/web/forum/applications/core/modules/front/discover/streams.php(65): IPS\Dispatcher\_Controller->execute()

#7 /home/rkh/web/forum/system/Dispatcher/Dispatcher.php(153): IPS\core\modules\front\discover\_streams->execute()

#8 /home/rkh/web/forum/index.php(13): IPS\_Dispatcher->run()

#9 {main}

Long story short, "unread" button doesn't work.

IPS\Db\Exception: Table './c8rkhforum/ibf_core_search_index' is marked as crashed and last (automatic?) repair failed (144)

You would need to contact your web host about that.

The hook scanner error can be ignored for now, it could be that you have a lot of things to scan and it couldn't complete it in time.