CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-38457 – XenForo 2.2.15 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-38457
16 Jun 2024 — Xenforo before 2.2.16 allows CSRF. Xenforo anterior a 2.2.16 permite CSRF. XenForo versions 2.2.15 and below suffer from a cross site request forgery vulnerability in Widget::actionSave. • https://packetstorm.news/files/id/179585 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-38458 – Xenforo 2.2.15 Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-38458
16 Jun 2024 — Xenforo before 2.2.16 allows code injection. Xenforo anterior a 2.2.16 permite la inyección de código. XenForo versions 2.2.15 and below suffer from a remote code execution vulnerability in the Template system. • https://packetstorm.news/files/id/179586 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25006
https://notcve.org/view.php?id=CVE-2024-25006
02 Feb 2024 — XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to administer styles, and uses a ZIP archive for Styles Import. XenForo anterior a 2.2.14 permite el Directory Traversal (con acceso de escritura) por parte de un usuario autenticado que tiene permisos para administrar estilos y utiliza un archivo ZIP para importar estilos. • https://xenforo.com/community/threads/xenforo-2-2-14-released.219044 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43032
https://notcve.org/view.php?id=CVE-2021-43032
03 Nov 2021 — In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side. En XenForo versiones hasta 2.2.7, un actor de la amenaza con acceso al panel de administración puede crear un nuevo Anuncio por medio de la función Advertising y guardar una carga útil de tipo XSS en el cuerpo del documento HTML. Esta carga útil será ejecutada globa... • https://github.com/SakuraSamuraii/CVE-2021-43032 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •