Multiple Vulnerabilities Found In XenForo Internet Forum Solution

Numerous security vulnerabilities plagued the XenForo Internet Forum solution, with one of them potentially allowing remote code execution attacks. XenForo has released patches for these vulnerabilities in their latest update, urging users to update their systems.

XenForo Vulnerabilities Could Lead to Remote Code Execution

A recent security update on the XenForo forums revealed that the latest release addresses multiple security vulnerabilities.

These vulnerabilities included a cross-site request forgery (CSRF) and a code injection flaw that could result in remote code execution and cross-site scripting (XSS) attacks.

XenForo acknowledged security researcher Egidio Romano for reporting most of these flaws through SSD Secure Disclosure.

Although XenForo did not provide specific details about the vulnerabilities in their announcement, SSD Secure Disclosure published a comprehensive analysis in a separate advisory. The vulnerabilities identified include CVE-2024-38457, a CSRF vulnerability, and CVE-2024-38458, a remote code execution flaw.

According to the advisory, “A vulnerability in XenForo allows a user to trigger an RCE via incorrect parsing and handling of user-provided templates, combined with another CSRF vulnerability. This could potentially allow unauthenticated attackers to execute arbitrary code whenever an admin user with permissions to administer styles/widgets visits a specially crafted page/link.”

In the most severe cases, attackers could exploit these vulnerabilities to carry out data breaches, website defacement, or server compromise.

These vulnerabilities impacted XenForo versions prior to 2.1.14 and 2.1.15. While the latter addressed the vulnerability affecting XenForo 2.1.14 and earlier, it also introduced additional security flaws that required another patch. Consequently, XenForo released an additional update, version 2.1.16, to address all known vulnerabilities.

XenForo confirmed that all security fixes have been implemented in XenForo Cloud, eliminating the need for Cloud users to manually update. However, users running older XenForo versions must ensure they upgrade to the latest releases. Additionally, the security patches have been extended to XenForo 2.3 pre-release users with XenForo 2.3.0 Release Candidate 1. The firm has also released the same security updates for the following XenForo add-ons:

• XenForo Media Gallery 2.3.0 Release Candidate 1
• XenForo Resource Manager 2.3.0 Release Candidate 1
• XenForo Enhanced Search 2.3.0 Release Candidate 1

For more information on this pre-release update, users can refer to the details provided here.

Share your thoughts in the comments section below.