Security Update 2023-06-20 - Lifetime owners excluded?

[Jade D]

WHMCS have just sent a notice regarding an exploit that affects all versions of WHMCS. 

Sadly, it seems that owned license holders are exempt from receiving critical patches?

I was a happy paying customer who paid their $99 per year for support and updates until the massive shift, and now I've been left in the dark.

Can WHMCS staff kindly review this considering the impact of this matter, had this exploit been identified during the time in which I had paid for support a patch would have been released and further to this, the fact that the exploit affects all versions of whmcs means that this exploit existed when I had active support.

[WHMCS John]

Hi @Jade D,

Which version of WHMCS are you currently running, please?

[Jade D]

Hey John,

Thanks for the quick reach out, would you mind sending me a PM?

Two versions that I have are pre 8.5 - last available version prior to annual support being discontinued.

[SVCode]

We also have a 7.10.3 install - as the way the contacts/accounts are managed just doesn’t work for us in the newer releases.  The later releases caused all sorts of issues with customers changing email addresses and passwords, locking themselves out of portal accounts.

We just need/needed a 1 user 1 login system, which we were/are unable to achieve with later versions - last time we tried.

Really stuck now 😕

Edited June 21, 2023 by SVCode

[WHMCS John]

Targeted Security Releases have been published for our Current and Long Term Support versions (8.7 and 8.6)

Owned License holders will be able to auto-update to 8.7.3 or 8.6.2, if your Support & Updates was active during those releases.

We have also exceeded our Long Term Support policy by providing a patch for 8.5, because it recently reached End of Life. Users can apply if your Support & Updates was active during the 8.5 release.

 

We do not recommend running an End of Life version of WHMCS for this reason.

However on this occasion, if you're running an older End of Life version, please contact support and we can assist: https://www.whmcs.com/submit-a-ticket/

[Jade D]

Hi John,

 

Thank you for your consideration in this regard - ticket sent - MKF-619733

[SVCode]

Much obliged - ticket MRJ-543495 created. 

[Jade D]

Thank you John!

Patch files received, really appreciate the assistance.

Could I ask that you or one of the seniors there take a look at ticket FDF-361863

[carlswart]

Thank you for helping us and making the internet a safer place. :)

Please see ticket: ROO-695840

[rugg]

Hi.

clould please check my ticket ILF-000920 .

thanks alot.

[lulzkiller]

Here is another WHMCS owned license holder, my ticket ID Is #RJD-917267  Would be nice with a quick response :)

[cluster]

Thank you John - Ticket Created #YDE-029749

[tokenuser]

Is there a way to get a patch for 8.4.1? It's the last version we were able to download with our "lifetime" license. 

[Jade D]

3 minutes ago, tokenuser said:

Is there a way to get a patch for 8.4.1? It's the last version we were able to download with our "lifetime" license. 

You got lucky with your renewal date, ours is a few versions before but still within version 8

[tokenuser]

But 8.4.1 is also EOL and I cannot find a patch for this version. 

[Jade D]

I created a ticket as per @WHMCS John and he / support team were fortunately able to provide a patch file, make sure you do the same and good luck.

[Remitur]

Hello.
I too just created a ticket ( #TTF-551373 ) for @WHMCS John ...

Thank you!

[bear]

After applying this patch (early 8x version), Stripe payments are "uncaptured" at the gateway and WHMCS offers the clients just "Oops, something went wrong", so they try a few more times before opening a ticket. Anyone else notice oddness in this? the timing of the issue began immediately after applying the patch for us.

[SeanP]

They sent me the patch, then replied back later with the following:

"A defect has been identified in the Security Update 2023-06-20 patch provided for End of Life versions of WHMCS, which causes an error during payment captures made using the Stripe payment gateway."

I was then sent an updated version of the patch, that supposedly corrected this issue.  I do not use Stripe, so I'm not able to test that part.

 

Edited July 13, 2023 by SeanP

[bear]

Thanks Sean. Never got the email, but asked via ticket.

[SeanP]

18 hours ago, bear said:

Thanks Sean. Never got the email, but asked via ticket.

I didn't get an email either.  I asked about it via a support ticket, as well.