Multiple Vulnerabilities Found In XenForo

[joelr]

According to a recent security update shared on XenForo forums, the service addressed numerous security vulnerabilities with the latest XenForo release.

As stated, the vulnerabilities included a cross-site request forgery (CSRF) and code injection flaw that could lead to remote code execution and cross-site scripting (XSS) attacks.

XenForo credited the security researcher Egidio Romano for reporting most of these flaws via SSD Secure Disclosure. While the firm didn’t share details about the vulnerabilities in its post, SSD Secure Disclosure shared a detailed analysis in a separate advisory. These vulnerabilities include CVE-2024-38457 – a CSRF vulnerability, and CVE-2024-38458 – a remote code execution flaw.

https://xenforo.com/community/threa...-2-6-released-includes-security-fixes.222133/

 

[Tracy]

They released a patch for 2.1.15 and also for 2.1.16. You could either apply the patch manually or use the upgrade feature in the ACP if your license was active for updates/support. That was why they also released a patch that could be uploaded to the site, for those that did not have active support for the "latest & greatest" downloads.

https://xenforo.com/community/threa...-2-6-released-includes-security-fixes.222133/

 

[joelr]

I think it's great that XF released a patch for those that don't have active support.

 

[Heatman]

They released a patch for 2.1.15 and also for 2.1.16. You could either apply the patch manually or use the upgrade feature in the ACP if your license was active for updates/support. That was why they also released a patch that could be uploaded to the site, for those that did not have active support for the "latest & greatest" downloads.

https://xenforo.com/community/threa...-2-6-released-includes-security-fixes.222133/

It was very unexpected to see XenForo go to the extent of making this patch available for those who didn't have any active support. It would definitely feel like Christmas came early for such forum owners.

 

[Tracy]

It was very unexpected to see XenForo go to the extent of making this patch available for those who didn't have any active support.

In my decade+ of using it, I have seen this done before if the issue was severe enough to effect the security of anyone using the script (I have also seen it done for fixes for a major boo-boo in their code that affected the use of the script). You cannot fault XF in that aspect. They have usually taken it that extra step beyond what other script developers have done in similar instances. If it has been a big enough security hole they want everyone to get it patched. Having software out there being ran with a known security hole is not a good idea either from the license holders aspect or from theirs from a PR aspect.

 

[Shawn Gossman]

I think it's great that XF released a patch for those that don't have active support.

I think security-related patches are free for all right? At least that's how I thought it used to be.

 

[Nomad]

Never used Xenforo myself so information like this will help me in future, when I am ready to migrate to a premium software. By the way, how does vulnerabilities in Xenforo compares with other premium software?

 

[Tracy]

Never used Xenforo myself so information like this will help me in future, when I am ready to migrate to a premium software. By the way, how does vulnerabilities in Xenforo compares with other premium software?

Generally the coding in Xenforo is excellent and very secure. If there are "hacks" found they will release an update for license holders and generally a patch file if it is important enough (whereas other script providers force you to upgrade to a new version and if your license is expired you are forced to renew). If one needs a basic forum it is an excellent option. If one needs a more fully featured site (which is common in todays internet interfacing with users) you should investigate your other options like Invision or Woltlab and then compare those costs to what Xenforo and 3rd party add-ons may cost to it.

 

[Henrywrites]

It was very unexpected to see XenForo go to the extent of making this patch available for those who didn't have any active support. It would definitely feel like Christmas came early for such forum owners.

They knew what they were doing, and that is more like ensuring that those people get that bonus. I wouldn't want to look at it from any other angle than this. This is the reason many forum owners would wish to stick with the Xenforo software.

 

[Heatman]

They knew what they were doing, and that is more like ensuring that those people get that bonus. I wouldn't want to look at it from any other angle than this. This is the reason many forum owners would wish to stick with the Xenforo software.

Yes of course! XenForo services are better irrespective of the fact that they are more expensive compared to the other alternatives out there which webmasters can work with. As long as they keep ensuring the users are getting better support system, they will always be appreciated and it's good for business.

 

[Tracy]

I think security-related patches are free for all right? At least that's how I thought it used to be.

It depends on the severity of the issue.
Of the major paid script providers, they are probably amongst the best about doing this if it is a major issue.
I know Invision will simply release a new version and if you don't have a current license.... you are simply out of luck.