By manipulation of the host header Xenforo loads resources from any host provided by user input. This could be a problem when pages are being cached. A cache poisoning attack might then cause big trouble. Isn't there a fix available for this?
XenForo doesn't do page caching like that out of the box. This would be site-level URL canonicalization (to ensure the host is always what you expect) and is really something that should be handled outside of XenForo.
If you have any questions about doing this canonicalization, please associate your account with your license and post in the support forum.