Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16.
If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.
If you are running a pre-release version of XenForo 2.3, you should follow the instructions in the announcement thread for the
.
The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.
XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with
.
We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually to any version. See below for further details.
To patch this issue manually you will need to edit one file manually
and upload some changed files.
Find the following line in this file:
Replace that line with the following:
Note: This file is not included in the patch download attached to this post as it contains install-specific data. You
must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue. This only applies if you are unable to do a normal upgrade.
- Download either 2115-patch.zip (for XenForo 2.1) or 2216-patch.zip (for XenForo 2.2).
- Extract the .zip file
- Upload the contents of the upload directory to the root of your XenForo installation
- Download either xfmg219-patch.zip (for XenForo Media Gallery 2.1) or xfmg226-patch.zip (for XenForo Media Gallery 2.2).
- Extract the .zip file
- Upload the contents of the upload directory to the root of your XenForo installation