We have recently become aware of a security issue relating to a third-party library included with XenForo Media Gallery and have released a patch to resolve this issue. The issue is a cross site scripting (XSS) flaw that could allow an attacker to steal cookies or force a user to take actions without their consent or knowledge (possibly including administrative actions). We recommend all XenForo Media Gallery customers use one of the methods described below to resolve this issue and improve their security.
We would like to thank @batpool52! for bringing this to our attention.
If you have any questions regarding this patch, please post in the Media Gallery Support forum.
Method 1: Install the Patch
Download the patch zip file attached to the end of this message. It contains 2 files:
Note that with this method there is no outward indication that the patch has been applied.
Method 2: Upgrade to the New Version
The security fix can be applied by downloading 1.0.8 from your customer area and upgrading XenForo Media Gallery as normal.
Customers Running XenForo Media Gallery 1.1.0 Beta 1
The security issue affects this version as well but requires different changes. These will be fixed when 1.1.0 Beta 2 released at its normal time. As we do not recommend running beta versions in production, you should simply be able to wait until the next release for the fix. However, if you must apply a fix now, please click the button below for patching instructions. Note that this is not a method we can officially support.
We would like to thank @batpool52! for bringing this to our attention.
If you have any questions regarding this patch, please post in the Media Gallery Support forum.
Method 1: Install the Patch
Download the patch zip file attached to the end of this message. It contains 2 files:
- js/xengallery/media_add.js
- js/xengallery/min/media_add.js
Note that with this method there is no outward indication that the patch has been applied.
Method 2: Upgrade to the New Version
The security fix can be applied by downloading 1.0.8 from your customer area and upgrading XenForo Media Gallery as normal.
Customers Running XenForo Media Gallery 1.1.0 Beta 1
The security issue affects this version as well but requires different changes. These will be fixed when 1.1.0 Beta 2 released at its normal time. As we do not recommend running beta versions in production, you should simply be able to wait until the next release for the fix. However, if you must apply a fix now, please click the button below for patching instructions. Note that this is not a method we can officially support.