Quite a few safety vulnerabilities riddled the XenForo Web Discussion board resolution, considered one of which might even enable distant code execution assaults. XenForo has patched the vulnerabilities with the newest launch, urging customers to replace.
XenForo Vulnerabilities Might Enable Distant Code Execution
In line with a current security update shared on XenForo boards, the service addressed quite a few safety vulnerabilities with the newest XenForo launch.
As said, the vulnerabilities included a cross-site request forgery (CSRF) and code injection flaw that might result in distant code execution and cross-site scripting (XSS) assaults.
XenForo credited the safety researcher Egidio Romano for reporting most of those flaws by way of SSD Safe Disclosure.
Whereas the agency didn’t share particulars in regards to the vulnerabilities in its put up, SSD Safe Disclosure shared an in depth evaluation in a separate advisory. These vulnerabilities embody CVE-2024-38457 – a CSRF vulnerability, and CVE-2024-38458 – a distant code execution flaw.
Describing the problems, the advisory reads,
A vulnerability in XenForo permits a person to set off an RCE by way of incorrect parsing and dealing with of person offered templates, this mixed with one other CSRF vulnerability. would possibly enable unauthenticated attackers to execute arbitrary code at any time when an admin person with permissions to manage types / widgets will go to a specifically crafted web page / hyperlink.
Within the worst exploits, the attackers might enable information breaches, web site defacement, or server compromise.
These vulnerabilities affected XenForo variations earlier than 2.1.14 and a pair of.1.15. Whereas the latter carried the repair for the vulnerability impacting XenForo 2.1.14 and earlier, it additionally developed another safety flaws, which required one other patch. Thus, the service launched a subsequent replace, 2.1.16, addressing all of the yet-identified vulnerabilities.
The service confirmed releasing all the safety fixes with XenForo Cloud, saving Cloud customers from the hassle of upgrading. Nevertheless, customers working older XenForo variations should guarantee updating to the newest releases manually. In addition to, XenForo additionally rolled out the safety fixes for XenForo 2.3 pre-release customers with XenForo 2.3.0 Launch Candidate 1. As well as, the agency additionally launched the identical safety patches with the next XenForo add-ons.
- XenForo Media Gallery 2.3.0 Launch Candidate 1
- XenForo Useful resource Supervisor 2.3.0 Launch Candidate 1
- XenForo Enhanced Search 2.3.0 Launch Candidate 1
Customers might discover the main points for this pre-release update here.
Tell us your ideas within the feedback.
