Security Fix
Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers running XenForo 2.3.0 should upgrade to XenForo 2.3.0 Release Candidate 1, including XenForo Media Gallery 2.3.0 Release Candidate 1 if needed.If you also have active installs of XenForo 2.2 or XenForo 2.1 you should refer to the earlier thread with details and patch.
The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.
XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.
We recommend doing a full upgrade to resolve the issue.
XenForo 2.3.0 Release Candidate 2 Released
Shortly after the release of Release Candidate 1, we identified an issue related to editing node-like permissions. A very minor bug was surfaced by the changes today. Specifically one of our view class names was using a\instead of a
:
Due to a localised shortage of version numbers (we cannot increment the version to a patch release for release candidates) we have released Release Candidate 2 to address this.
The specific files with changes are:
- src/XF/Admin/Controller/Node.php
- src/XF/Admin/Controller/Permission.php