We have recently become aware of a security issue relating to a third-party library included with XenForo Media Gallery and have released a patch to resolve this issue. The issue is a cross site scripting (XSS) flaw that could allow an attacker to steal cookies or force a user to take actions without their consent or knowledge (possibly including administrative actions). We recommend all XenForo Media Gallery customers use one of the methods described below to resolve this issue and improve their security.
If you have any questions regarding this patch, please post in the Media Gallery Support forum.
Method 1: Install the Patch
Download the patch zip file attached to the end of this message. It contains 3 files:
You can confirm that the patch has been applied properly by viewing a media item and looking at the "Share This Media" block. There should be no "copy" buttons next to the text-based sharing options. (Please note that you may have to hard refresh your browser to ensure that cached JS files are not used.)
Method 2: Download XFMG 1.0.1a and upload all files
The version of XenForo Media Gallery has been updated in the customer area to 1.0.1a to indicate that the patch has been applied to the original version of 1.0.1. (Please note that the version number listed in the XenForo control panel will not change. You can confirm that you have downloaded 1.0.1a by looking at the file name of the zip containing the XFMG files.)
The patch can be applied by downloading 1.0.1a from the customer area and acting as if you are upgrading XFMG as normal.
You can confirm that the patch has been applied properly by viewing a media item and looking at the "Share This Media" block. There should be no "copy" buttons next to the text-based sharing options. (Please note that you may have to hard refresh your browser to ensure that cached JS files are not used.)
If you have any questions regarding this patch, please post in the Media Gallery Support forum.
Method 1: Install the Patch
Download the patch zip file attached to the end of this message. It contains 3 files:
- js/xengallery/media_share.js
- js/xengallery/ZeroClipboard.swf
- js/xengallery/min/media_share.js
You can confirm that the patch has been applied properly by viewing a media item and looking at the "Share This Media" block. There should be no "copy" buttons next to the text-based sharing options. (Please note that you may have to hard refresh your browser to ensure that cached JS files are not used.)
Method 2: Download XFMG 1.0.1a and upload all files
The version of XenForo Media Gallery has been updated in the customer area to 1.0.1a to indicate that the patch has been applied to the original version of 1.0.1. (Please note that the version number listed in the XenForo control panel will not change. You can confirm that you have downloaded 1.0.1a by looking at the file name of the zip containing the XFMG files.)
The patch can be applied by downloading 1.0.1a from the customer area and acting as if you are upgrading XFMG as normal.
You can confirm that the patch has been applied properly by viewing a media item and looking at the "Share This Media" block. There should be no "copy" buttons next to the text-based sharing options. (Please note that you may have to hard refresh your browser to ensure that cached JS files are not used.)