CMSB v3.77 Released (CRITICAL UPDATE: Upload Fixes)

Hi everyone,

We’ve identified two critical upload issues affecting versions 3.67-3.76 that can potentially cause data loss, and we’ve released an emergency update (v3.77) to address them. If you are affected, please upgrade as soon as possible. We’re also working on a lightweight plugin patch for sites that can’t update immediately.

This affects CMS installations where:

• You are running (or ran) v3.67-3.74 with a single-record section that allowed uploads, and files were uploaded while you were running those versions
• You are running v3.75-3.76 with WYSIWYG fields that allow uploads

Here's the details:

1. Orphan Upload Fix (v3.67-3.74)
   • In v3.67–3.74, uploads in single-record sections weren’t permanently linked to their parent record
   • Affected uploads became orphaned, making them eligible for automatic cleanup (deletion) 24 hours later when another upload was added
   • This only impacted sites using single-record sections with upload fields that received uploads while running v3.67-3.74
   • The issue was resolved by unrelated improvements introduced in v3.75 (released December 10, 2024)
   • Upgrading to v3.77+ will automatically reconnect any orphaned uploads remaining in the database
   • In addition to the fix, we've added multiple additional safeguards to prevent this from happening in the future
2. WYSIWYG Upload Content Loss (v3.75-3.76)
   • In v3.75-3.76, uploading files via WYSIWYG editors temporarily replaced the field’s content with upload counts in MySQL
   • WYSIWYG content could be lost if the record was not saved after uploading a file (e.g., if the user navigated away)
   • This only affected WYSIWYG fields that already had uploads associated with them
   • Upgrading to v3.77+ resolves this issue

Next Steps: 

• Upgrade to v3.77+ immediately if you meet either of the above conditions.
• If you can’t update your production server right away, we’ll release a minimal plugin patch shortly to address these issues until you can perform a full upgrade.
• If you need help, fill out a second-level support form: https://interactivetools.com/support/request/ or call us at 1-800-752-0455

Please know that we take issues like this very seriously and apologize for any disruption or concern this may have caused. Our team is committed to keeping your data safe, delivering quick fixes, and keeping you informed every step of the way. If you need assistance addressing these issues, let us know - we’re here to help.

The full changelog for this release is as follows:

*** June 1, 2025 - Version 3.77 (CRITICAL UPDATE: Upload Fixes)

SERVER REQUIREMENTS (Since Dec 2023): PHP 8.0+ and MySQL 5.7+ (or MariaDB 10.2+)

CRITICAL UPDATES
- Orphan Upload Fix (v3.67-3.74)
    - In v3.67–3.74, uploads in single-record sections weren’t permanently linked to their parent record
    - Affected uploads became orphaned, making them eligible for automatic cleanup (deletion) 24 hours later when another upload was added
    - This only impacted sites using single-record sections with upload fields that received uploads while running v3.67-3.74
    - The issue was resolved by unrelated improvements introduced in v3.75 (released December 10, 2024)
    - Upgrading to v3.77+ will automatically reconnect any orphaned uploads remaining in the database
    - Added additional safeguards against single-record upload orphaning
- WYSIWYG Upload Content Loss (v3.75-3.76)
    - In v3.75-3.76, uploading files via WYSIWYG editors temporarily replaced the field’s content with upload counts in MySQL
    - WYSIWYG content could be lost if the record was not saved after uploading a file (e.g., if the user navigated away)
    - This only affected WYSIWYG fields that already had uploads associated with them
    - Upgrading to v3.77+ resolves this issue

NEW FEATURES
- Admin > Backup & Restore:
    - Added ZIP compression support for manually created database backups and restores
    - Added support for restoring from MySQL/MariaDB engines with previously incompatible collation values (sorting)
    - Added "Zip uncompressed backups" link to compress existing .sql.php backup files to save disk space

MINOR CHANGES
- Security Hardening: Passwords with null bytes are now blocked to align with PHP's bcrypt password patch (CVE-2024-3096)
    Note: This is a preventative security best-practices measure only - no existing vulnerability
- CMS .htaccess: Added *.tmp and *.temp to blocked file extensions to prevent access to temporary files

BUG FIXES
- CMS Record Add/Edit: Improved errors for when a field can't display (due to SQL errors, etc.) and added "edit field" link
- Viewers: Fixed "Table doesn't exist" error when the following setting was enabled: Database > Viewers Tab:
    Disable Accounts: [X] Hide records that are "Created By" a user who is: deleted, disabled, or expiredDisable Accounts" is enabled
- searchMultipleTables() - Fixed "Warning: A non-numeric value encountered" error when numeric values provided as text strings
- getCategories() - Fixed issue where "selectedCategoryNum" used the wrong category num in preview mode
- Developer Log: Fixed issue that caused dates to be displayed as "never" instead of the actual date error was logged
- Misc code and other minor improvements

You can download the latest version here: https://www.interactivetools.com/download/

Please feel free to ask any questions or post any feedback, comments or questions.

Thank you!