security vulnerability

  1. GhostyCeh

    Not a bug Getting user's ip

    Insert image that redirects to iplogger by using image by URL and just wait for them to download the image
  2. ibnesayeed

    Not a bug XSS vulnerability in jQuery version used in XF 1.5

    XF 1.5.21 (and some older versions) use jQuery 1.11.0 which has a known XSS security vulnerability of medium severity.
  3. wen2018

    XF 2.0 How not to embed Google Analytics in conversation pages?

    I don't think conversations need to be sniffed by Google Analytics, so is there a way to exclude Google Analytics from conversation pages? Maybe wrapping <xen:if is="{$isConversation}"> around the analytics template works, but what would the isConversation variable be?
  4. Alpha1

    Lack of interest Error Reports without security sensitive details

    When posting Error Reports in public forums like or a developers forum its unwise to post raw error reports as that will expose server details, user details and xenforo details of the website, which can be abused by hackers. The report itself could still show the full details. but...
  5. jOOc

    CloudBleed HTTPS traffic leak

    Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months...
  6. Adrian Perez

    Where to report security issues?

    I've found a minor-to-medium security issue on XenForo's default install, I've been searching for resources for responsible disclosure of this, but I haven't been able to find any. Please let me know.
  7. Chris D

    Potential FFmpeg security vulnerability

    It recently came to our attention that there is a potential vulnerability in FFmpeg which has the potential to be exploited via XenForo Media Gallery if you have FFmpeg features enabled (or are using any other code that uses FFmpeg). The issue is exploitable by using a specially constructed...
  8. O

    XF 1.5 1.5.4 - What was the specially crafted profile post for the security vulnerability?

    Just out of curiosity, what was the specially crafted profile post that triggered the security vulnurability?
  9. Alpha1

    Duplicate Remove Flash from XF: security warning on

    Browsers like Firefox are blocking Adobe Flash and showing a security warning: Firefox has prevented the unsafe plugin "Adobe Flash" from loading on Meanwhile Facebook is calling on Adobe to kill Flash and states that its no longer a risk worth taking. I suggest to remove Flash...
  10. Amaury

    Possible Security Vulnerability with Adobe Flash

    If you're running, you're fine. Anything below and you should update as soon as possible. You can check your version here: Adobe - Flash Player Credit to a friend of mine from another forum: Adobe Flash possibly compromised | KH-Vids | Your ultimate source for Kingdom Hearts media...
  11. X

    DNS lookup vulnerability (CVE-2015-0235) in glibc (XF is a vector when on Linux)

    Info: This issue affects anyone doing DNS lookups, including reverse DNS lookups. XenForo explicitly does DNS lookups of IPs at registration time, and as such...
Top Bottom