Tech News
Multiple Vulnerabilities Found In XenForo Internet Forum Solution
Numerous security vulnerabilities plagued the XenForo Internet Forum solution, with one of them potentially allowing remote code execution attacks. XenForo has released patches for these vulnerabilities in their latest update, urging users to update their systems.
XenForo Vulnerabilities Could Lead to Remote Code Execution
A recent security update on the XenForo forums revealed that the latest release addresses multiple security vulnerabilities.
These vulnerabilities included a cross-site request forgery (CSRF) and a code injection flaw that could result in remote code execution and cross-site scripting (XSS) attacks.
XenForo acknowledged security researcher Egidio Romano for reporting most of these flaws through SSD Secure Disclosure.
Although XenForo did not provide specific details about the vulnerabilities in their announcement, SSD Secure Disclosure published a comprehensive analysis in a separate advisory. The vulnerabilities identified include CVE-2024-38457, a CSRF vulnerability, and CVE-2024-38458, a remote code execution flaw.
According to the advisory, “A vulnerability in XenForo allows a user to trigger an RCE via incorrect parsing and handling of user-provided templates, combined with another CSRF vulnerability. This could potentially allow unauthenticated attackers to execute arbitrary code whenever an admin user with permissions to administer styles/widgets visits a specially crafted page/link.”
In the most severe cases, attackers could exploit these vulnerabilities to carry out data breaches, website defacement, or server compromise.
These vulnerabilities impacted XenForo versions prior to 2.1.14 and 2.1.15. While the latter addressed the vulnerability affecting XenForo 2.1.14 and earlier, it also introduced additional security flaws that required another patch. Consequently, XenForo released an additional update, version 2.1.16, to address all known vulnerabilities.
XenForo confirmed that all security fixes have been implemented in XenForo Cloud, eliminating the need for Cloud users to manually update. However, users running older XenForo versions must ensure they upgrade to the latest releases. Additionally, the security patches have been extended to XenForo 2.3 pre-release users with XenForo 2.3.0 Release Candidate 1. The firm has also released the same security updates for the following XenForo add-ons:
- XenForo Media Gallery 2.3.0 Release Candidate 1
- XenForo Resource Manager 2.3.0 Release Candidate 1
- XenForo Enhanced Search 2.3.0 Release Candidate 1
For more information on this pre-release update, users can refer to the details provided here.
Share your thoughts in the comments section below.
-
Destination3 months ago
Singapore Airlines CEO set to join board of Air India, BA News, BA
-
Tech News7 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Motivation6 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Guides & Tips5 months ago
Have Unlimited Korean Food at MANY Unlimited Topokki!
-
Guides & Tips5 months ago
Satisfy Your Meat and BBQ Cravings While in Texas
-
Gaming4 months ago
The Criterion Collection announces November 2024 releases, Seven Samurai 4K and more
-
Self Development7 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Toys6 months ago
15 of the Best Trike & Tricycles Mums Recommend