XenForo 1.3.9 Released (Security Fix)

We have recently become aware of a security issue within XenForo and have released a patch and new version (XenForo 1.3.9) to resolve this issue. We strongly recommend all XenForo customers follow the steps below to resolve this issue.

The issue was discovered by Miguel Ángel Jimeno (@migueljimeno96). It employs a tactic known as "reverse tabnabbing" in which a link that opens in a new tab contains code that can redirect the original tab to another URL, which could be used as a phishing attempt.

If you have any questions relating to installing this patch or upgrading to the new version, please post in the Upgrade Support forum.

Method 1: Upgrade to the New Version

You may upgrade to XenForo 1.3.9 to fix this issue. You should upgrade as you would to any other release.

If you are currently running XenForo 1.2 or earlier, you must upgrade to a more recent version to fix this issue.

Customers with an active license may download this version from their customer area. Full details for how to install and upgrade XenForo can be found in the XenForo Manual.

Method 2: Install the Patch (for 1.3 Users)

Download the patch zip file attached to the end of this message. It contains 2 files:
  • js/xenforo/xenforo.js
  • js/xenforo/full/xenforo.js
These 2 files should be uploaded to your server, overwriting the existing files of the same names.

Note that with this method there is no outward indication that the patch has been applied. We recommend upgrading if possible.


Top Bottom