Xenforo vs vBulletin vs Invision - history of vulnerabilities (Xenforo the clear winner)

Interesting take!

I go by taste rather than looking up those stats.

Sniff test = if it is buggy the software stinks.

Xenforo usually passes the sniff test!
vB doesn't
Invision is too buggy and doesn't
 
The first one is already fixed and was shipped with 2.2.14 or .15.

The second one is absolutely not a valid vulnerability. Being able to edit advertising HTML is an as-designed feature. It's no secret that if you can edit HTML, you can insert scripts. And with advertising more than anything, we absolutely expect various scripts to be used here - how else would advertising ever be able to work?
 
An admin with access to editing forums can add scripts to forum descriptions too, and can close the forum and add the XSS scripts there too! 😮
 
When comparing vulnerabilities it's worth noting the actual payload e.g. vBulletin's worst data breach not only compromised forum users but also customer accounts including names, addresses, birth dates, security Q&As, email addresses, home page URLs, IM identities, IP addresses and passwords.
 
When comparing vulnerabilities it's worth noting the actual payload e.g. vBulletin's worst data breach not only compromised forum users but also customer accounts including names, addresses, birth dates, security Q&As, email addresses, home page URLs, IM identities, IP addresses and passwords.
How recent was that?
 
Update


Security Fix​

Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16.

If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.

If you are running a pre-release version of XenForo 2.3, you should follow the instructions in the announcement thread for the XenForo 2.3.0 Release Candidate 1 release.

The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.

XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually to any version. See below for further details.

[source]

No details were available on SSD SD site.
 
IP.Board had another vulnerability.



Code:
Summary

IP.Board e-commerce plugin ‘nexus’ contains two security vulnerabilities that when combined can be used to trigger a pre-auth RCE in AdminCP.

Credit

An independent security researcher, Egidio Romano from Karma(In)Security, working with SSD Secure Disclosure.

Vendor Response

The vendor has released a new version of IP.Board with appropriate fixes: https://invisioncommunity.com/release-notes/4716-r128/

Affected Versions

IP.Board version 4.7.15 and prior with ‘nexus’ plugin enabled

CVE

CVE-2024-30162 for the Remote Code Execution
CVE-2024-30163 for the Blind SQL Injection
Technical Analysis

Blind SQL Injection

The vulnerable code is located in the /applications/nexus/modules/front/store/store.php script

Specifically, in the IPS\nexus\modules\front\store_store::_categoryView() method:
 
Back
Top Bottom