XenForo Issues Urgent Security Patch to Thwart Remote Code Execution Threat
Popular forum software platform, XenForo, has released an urgent security patch to address a critical vulnerability that could leave websites open to remote code execution and cross-site scripting attacks. The flaws, tracked as CVE-2024-38457 and CVE-2024-38458, could enable malicious actors to take control of affected servers or inject harmful scripts into web pages viewed by unsuspecting users.
XenForo is a widely-used forum software known for its flexibility and extensive customization options. With a robust user base, ensuring the security of the platform is paramount. The latest advisory underscores this commitment, with XenForo taking swift action to address and rectify the identified vulnerabilities.
The vulnerability stems from a combination of cross-site request forgery (CSRF) and code injection weaknesses. If exploited, attackers could potentially execute arbitrary code on the server, leading to data breaches, website defacement, or even complete server compromise.
XenForo extends its gratitude to independent security researcher Egidio Romano (EgiX), who identified these vulnerabilities in collaboration with SSD Secure Disclosure.
XenForo has urged all customers running versions prior to 2.1.15 or 2.2.16 to take immediate action. The recommended course of action is to upgrade to either of these versions, which contain the security fix. Alternatively, a patch is available for manual application to any XenForo version.
XenForo Cloud users can rest assured that the fix has already been rolled out automatically. Those using a pre-release version of XenForo 2.3 are advised to follow specific instructions outlined in the release candidate announcement thread.
Beyond the critical security fix, XenForo 2.2.16 also introduces several improvements and bug fixes, enhancing the overall user experience:
- Developer Tools: Better support for classes with attributes and comments through improved xf-dev:class-use-function.
- Usability: Fixes for persistent action indicators and navigation, along with better error handling for bookmark editing.
- Security: Added a security locked phrase, refined email phrasing, and improved handling of disabled accounts.