XenForo 1.3.7 Released (Security Fix)

Today, we are releasing XenForo 1.3.7 to address two potential security vulnerabilities. We recommend that all customers running XenForo 1.3 upgrade to 1.3.7 or use the attached patch file as soon as possible.

The two issues are XSS vulnerabilities. XSS (Cross Site Scripting) issues allow scripts and malicious HTML to be injected into the page, potentially allowing data theft or unauthenticated access.
  • In the notices system, the name token was not escaped as expected. This could allow specially crafted requests to trigger an XSS for guests (or for a registered user to trigger an XSS on themselves).
  • In the filter list system in the admin control panel, dynamic highlighting when filtering did not escape output properly, potentially triggering an XSS against the user viewing the page.
Thanks to Diego Palacios for reporting these two issues.

Applying a Fix: Upgrading
You may upgrade to 1.3.7 to fix this issue. You should upgrade as you would to any other release.

Customers with an active license may download 1.3.7 from their customer area. Full details for how to install and upgrade XenForo can be found in the XenForo Manual.

Applying a Fix: Patching
Alternatively, this issue can be fixed by applying the patch in the attached file. You should simply overwrite the following files with the versions attached to this message:
  • js/xenforo/filter_list.js
  • js/xenforo/full/filter_list.js
  • library/XenForo/ViewRenderer/HtmlPublic.php
The files can be found at the same path within the attachment.


  • xf-patch-137.zip
    8.9 KB · Views: 110