A recent security update from XenForo has addressed multiple vulnerabilities in their Internet Forum solution, including one that could potentially lead to remote code execution attacks. Users are strongly advised to update to the latest release to patch these security flaws.
XenForo Vulnerabilities and Security Update
XenForo recently released a security update to address various security vulnerabilities in their platform, including a cross-site request forgery (CSRF) and code injection flaw that could potentially lead to remote code execution and cross-site scripting (XSS) attacks.
Credit for reporting most of these vulnerabilities goes to security researcher Egidio Romano, who shared their findings through SSD Secure Disclosure.
While specific details were not provided in the official announcement, SSD Secure Disclosure published a detailed analysis in a separate advisory. Notable vulnerabilities include CVE-2024-38457 (CSRF) and CVE-2024-38458 (remote code execution).
According to the advisory, an exploit in XenForo could allow an attacker to trigger remote code execution by manipulating user-provided templates, potentially leading to unauthorized code execution.
The vulnerabilities affected XenForo versions prior to 2.1.14 and 2.1.15. While the latter release addressed the issues impacting older versions, it also introduced new security flaws, prompting the subsequent release of version 2.1.16 to address all identified vulnerabilities.
Cloud users of XenForo were automatically protected with the security fixes, while users on older versions must manually update to the latest releases. Additional security patches were also rolled out for pre-release versions and various XenForo add-ons.
- XenForo Media Gallery 2.3.0 Release Candidate 1
- XenForo Resource Manager 2.3.0 Release Candidate 1
- XenForo Enhanced Search 2.3.0 Release Candidate 1
For more information on the pre-release update, visit this link.
We encourage you to share your thoughts in the comments section below.