XF 2.1 pre-2.1.10 potential data theft or unauthenticated access

Joao Prates


In the new 2.1.10 version release notes we can read that the previous version had a XSS "security vulnerability potentially allowing data theft or unauthenticated access".

Is there any easy way to determine if ones system was breached in any form from this vulnerability?




XenForo moderator
Staff member
The exploit was not publicly known and was never published so it's highly unlikely your particular installation was actively targeted and exploited.

Joao Prates

I'm sure you are well aware of all the bots scanning the internet searching for week points and back doors, they don't need public statements letting them know the site has a vulnerability.

Each day the amount of scans our site gets (just like any other) is impressive, and that's not due to our site being famous or important or anything like it, it's just there and bots try to find ways to get in... regular logins, database direct accesses, etc, and in the list I bet XSS vulnerabilities are there.

The proof this is common is that if we look at all the companies doing security scans for web servers, the XSS test is always there listed in their tests, and it's quite frequently one that pops out as a detected vulnerability.

So, it's not a matter of "highly unlikely" or whatever the odds. It's just that I would very much like to know if this vulnerability was exploited or not.

It's not our case but imagine if we had credit card numbers saved... just saying "it's highly unlikely your particular installation was actively targeted and exploited." would not do, would it?

So, back to the start: Is there an easy way to determine if we were targeted?

Chris D

XenForo developer
Staff member
We can’t really expand much more than what Brogan has already said and what was said in the announcement.

The issue had some very specific reproduction steps which would require an authenticated user such as an admin being coerced into performing a specific set of actions. If successful it would have allowed the attacker to gain control of the user’s session but due to many other mitigations in the software they would be very limited in what they’d have access to.

For example they would not know the username and password of the account so they wouldn’t be able to access the Admin control panel, or if a valid admin session existed, access would be prevented due to our various session management security measures.

The potential exploit was reported to us by a customer rather than being discovered through an active exploit.

With all that in mind it simply is the case that it is unlikely anyone was targeted by this and we are not aware of anyone being targeted.

You would have to look through IP, moderator and admin logs to ascertain whether there has been any unusual or unauthorised activity on any of your accounts.