The issues identified are as follows:
- Prevention of a possible stored XSS (cross-site scripting) exploit related to BB code rendering (thank you to Antisocial)
- Prevention of a possible XSS exploit related to lightbox usage in posts (thank you UwU)
- Prevention of a possible RCE (remote code execution) exploit via authenticated, but malicious, admin users (thank you UwU)
If you are a XenForo Cloud customer, fixes for these issues have been rolled out automatically, and no further action is required to address them.
We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually. See below for further details.
Upload patch files
- Download 239-patch.zip
- Extract the .zip file
- Upload the contents of the upload directory to the root of your XenForo installation
- Rebuild master data by logging in to your install URL, or running xf:rebuild-master-data on the command line
If you are a XenForo Cloud customer, your installations have already been patched and no further action is required. You will remain on version 2.3.8 until 2.3.10 is released.
The following public templates have had changes:
- attachment_macros
- bb_code_tag_attach
- lightbox_macros
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.
The following are minimum requirements:
- PHP 7.2 or newer (PHP 8.3 recommended)
- MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
- All of the official add-ons require XenForo 2.3.
- Enhanced Search requires at least Elasticsearch 7.2.
