Fixed external video URLs being embeddable which could allow htaccess prompts for Firefox users, which could be manipulated for social engineering.
Fixed SSRF vulnerability if image proxy is enabled.
Fixed GET data overwriting POST data when submitting a form.
The gateway files for downloading attachments now issue a Content-Security-Policy header.
Clarified verbiage on button when resuming a UTF8 conversion.
Added a message for when REST API test fails due to a path conflict.
Added the ability to fetch members via the REST API with activity_before / activity_after parameters.
Added `device_key` cookie information to the cookie page.
Adjusted Community in the Cloud auto-upgrader interface for future upgrades as the existing progress bar was inaccurate.
Adjusted the Friendly URL list to allow legacy customized URLs to be reverted.
Updated 'username' verbiage in some areas to refer to 'display name' instead.
Users will now be redirected directly to reviews they submit rather than back to the item.
Fixed individual comments sometimes showing in “Items Only” streams when using Elasticsearch.
Fixed an issue where content may not be presented in Elasticsearch searches after it is updated.
Fixed an issue where anonymous state can be lost for sessions when using Redis for session handling.
Fixed errors viewing and rebuilding the leaderboard, using post before registering and viewing social promotion when MySQL 8.0.17 is used.
Fixed a duplicate column error that may be logged when upgrading.
Fixed an error that can occur when tracking email statistics if the email is sent from a task.
Fixed an issue where uploading a new version of a theme may not immediately reflect changes when using disk caching.
Fixed an issue where editing some login handlers (Facebook, Microsoft, etc.) can break in some situations when editing their details.
Fixed unstyled content showing in Firefox on pages containing embeds if lazy-loading is enabled.
Fixed an issue were re-promoting content may not correctly show the selection state of existing image attachments.
Fixed a rare niche issue where it's possible for a digest task to get stuck in a loop.
Fixed an issue with unapproved comment notifications in situations when merging content and retaining a link.
Fixed an issue where it's possible to cause an uncaught exception by manipulating the URL for a content item that doesn't support reactions.
Fixed an issue where MySQL search index records were incorrectly deleted.
Fixed a missing language string on the 'Support Account' AdminCP notification when Commerce isn't present.
Fixed an issue with the LDAP login handler where error messages during set up may not be descriptive.
Fixed an issue where the empty BreadcrumbList ld + json tag would be added to the output.
Fixed an issue where it was possible to bypass profanity filters when using quick title edit.
Fixed an issue where admin control panel failed mail notifications could show a template error.
Removed options for content widget feeds to return hidden content added in 4.4.5 which has been unreliable
Fixed “Reply to this topic” button not working for guests
Fixed an issue where the ACP - “Popular Now” forum settings couldn't be saved .
Fixed an issue where the upgrade could fail because of missing database columns.
Fixed an error when pasting a page link into an editor, it displayed as an embed of the entire site.
Fixed permissions not synchronizing properly when changing a database from using categories to not using categories.
Fixed Editor fields pre-populating content from other records when the "Editable when viewing a record" setting is used.
Fixed an issue where externally embedded blocks do not work if "Allow community to be embedded in an iframe" is not set to "Anywhere".
Fixed all day event dates showing incorrectly in email notifications in some timezones.
Fixed an issue with top downloaders / submitters statistics page losing filters when changing pages.
Fixed an issue with downloads storage handler custom URL when upgrading from 3.x.
Fixed an issue with top uploads statistics page losing filters when changing pages.
Improved converted row caching when running multiple conversions back-to-back.
Conversions will now explicitly strip HTML tags in member titles.
Attempt to correct corruption of serialized profile field data during conversion from vB.
Fixed a potential issue that can occur converting vB Blog.
Fixed certain data not being converted (affects SMF, vB5, Vanilla, phpBB, UBBThreads, Expression Engine).
Fixed an issue where the 'manage conversions' page may not load if you have legacy conversions.
Fixed an issue when converting content from vB5 which contains [IMG2] or [USER] BBCode.
Fixed an issue when converters attempt to convert administrators if the last update time is available.
Fixed a number of issues converting vB CMS attachments.
Added permalinks to the Information, Shipping, and Reviews tabs when viewing a package in the store.
Added a new 'neutral' display for ticket history statistics (i.e. if a statistic matches the 30 days prior).
Fixed an issue where members could add themselves as an alternative contact.
Changed the package seo name column length to 255 characters.
Fixed renewal invoices being generated with the wrong billing address for transferred purchases.
Fixed an error fetching license key info through the Commerce license key API
Fixed an issue where the tax name in invoice emails could be missing.
Fixed an issue where deleting a support department can result in an error in some circumstances, if that department had custom fields mapped to it.
Third-Party / Developer / Designer Mode
Applications can no longer be set as the default application if they have no front modules.
Fixed an error creating a new conversion software library using the AdminCP tools.
Fixed an issue where content items that have not defined a `$ containerNodeClass` property could throw an error during searches.