Tech News
Multiple Vulnerabilities Found In XenForo Internet Forum Solution
Numerous security vulnerabilities plagued the XenForo Internet Forum solution, with one of them potentially allowing remote code execution attacks. XenForo has released patches for these vulnerabilities in their latest update, urging users to update their systems.
XenForo Vulnerabilities Could Lead to Remote Code Execution
A recent security update on the XenForo forums revealed that the latest release addresses multiple security vulnerabilities.
These vulnerabilities included a cross-site request forgery (CSRF) and a code injection flaw that could result in remote code execution and cross-site scripting (XSS) attacks.
XenForo acknowledged security researcher Egidio Romano for reporting most of these flaws through SSD Secure Disclosure.
Although XenForo did not provide specific details about the vulnerabilities in their announcement, SSD Secure Disclosure published a comprehensive analysis in a separate advisory. The vulnerabilities identified include CVE-2024-38457, a CSRF vulnerability, and CVE-2024-38458, a remote code execution flaw.
According to the advisory, “A vulnerability in XenForo allows a user to trigger an RCE via incorrect parsing and handling of user-provided templates, combined with another CSRF vulnerability. This could potentially allow unauthenticated attackers to execute arbitrary code whenever an admin user with permissions to administer styles/widgets visits a specially crafted page/link.”
In the most severe cases, attackers could exploit these vulnerabilities to carry out data breaches, website defacement, or server compromise.
These vulnerabilities impacted XenForo versions prior to 2.1.14 and 2.1.15. While the latter addressed the vulnerability affecting XenForo 2.1.14 and earlier, it also introduced additional security flaws that required another patch. Consequently, XenForo released an additional update, version 2.1.16, to address all known vulnerabilities.
XenForo confirmed that all security fixes have been implemented in XenForo Cloud, eliminating the need for Cloud users to manually update. However, users running older XenForo versions must ensure they upgrade to the latest releases. Additionally, the security patches have been extended to XenForo 2.3 pre-release users with XenForo 2.3.0 Release Candidate 1. The firm has also released the same security updates for the following XenForo add-ons:
- XenForo Media Gallery 2.3.0 Release Candidate 1
- XenForo Resource Manager 2.3.0 Release Candidate 1
- XenForo Enhanced Search 2.3.0 Release Candidate 1
For more information on this pre-release update, users can refer to the details provided here.
Share your thoughts in the comments section below.
-
Tech News3 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Motivation3 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Self Development4 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Destination4 months ago
Our new fixed tours are your ultimate Aussie & Kiwi adventure!
-
Breaking News4 months ago
Democrats and allies to flood airwaves, drop more than $125M on abortion push
-
Activities3 months ago
Family Holiday Checklist | What To Pack Family Holiday
-
Gaming3 months ago
Concord price, beta, preorder details for PS5 and PC confirmed
-
Destination3 months ago
Turkish Airlines carries 7.2 mn passengers in May, launches new sustainability brand, BA