Numerous security vulnerabilities riddled the XenForo Internet Forum solution, one of which could even allow remote code execution attacks. XenForo has patched the vulnerabilities with the latest release, urging users to update.
XenForo Vulnerabilities Could Allow Remote Code Execution
According to a recent security update shared on XenForo forums, the service addressed numerous security vulnerabilities with the latest XenForo release.
As stated, the vulnerabilities included a cross-site request forgery (CSRF) and code injection flaw that could lead to remote code execution and cross-site scripting (XSS) attacks.
XenForo credited the security researcher Egidio Romano for reporting most of these flaws via SSD Secure Disclosure.
While the firm didn’t share details about the vulnerabilities in its post, SSD Secure Disclosure shared a detailed analysis in a separate advisory. These vulnerabilities include CVE-2024-38457 – a CSRF vulnerability, and CVE-2024-38458 – a remote code execution flaw.
Describing the issues, the advisory reads,
A vulnerability in XenForo allows a user to trigger an RCE via incorrect parsing and handling of user provided templates, this combined with another CSRF vulnerability. might allow unauthenticated attackers to execute arbitrary code whenever an admin user with permissions to administer styles / widgets will visit a specially crafted page / link.
In the worst exploits, the attackers could allow data breaches, website defacement, or server compromise.
These vulnerabilities affected XenForo versions before 2.1.14 and 2.1.15. While the latter carried the fix for the vulnerability impacting XenForo 2.1.14 and earlier, it also developed some other security flaws, which required another patch. Thus, the service released a subsequent update, 2.1.16, addressing all the yet-identified vulnerabilities.
The service confirmed releasing all the security fixes with XenForo Cloud, saving Cloud users from the effort of upgrading. However, users running older XenForo versions must ensure updating to the latest releases manually. Besides, XenForo also rolled out the security fixes for XenForo 2.3 pre-release users with XenForo 2.3.0 Release Candidate 1. In addition, the firm also released the same security patches with the following XenForo add-ons.
- XenForo Media Gallery 2.3.0 Release Candidate 1
- XenForo Resource Manager 2.3.0 Release Candidate 1
- XenForo Enhanced Search 2.3.0 Release Candidate 1
Users may find the details for this pre-release update here.
Let us know your thoughts in the comments.
