We have recently become aware of a security issue within XenForo and have released a patch and new version (XenForo 1.4.10) to resolve this issue. We strongly recommend all XenForo customers follow the steps below to resolve this issue.
The issue is a cross site scripting (XSS) flaw that could allow an attacker to steal cookies or force a user to take actions without their consent or knowledge (possibly including administrative actions).
If you have any questions relating to installing this patch or upgrading to the new version, please post in the Upgrade Support forum.
Method 1: Upgrade to the New Version
You may upgrade to XenForo 1.4.10 to fix this issue. You should upgrade as you would to any other release.
Customers with an active license may download this version from their customer area. Full details for how to install and upgrade XenForo can be found in the XenForo Manual.
In addition, two minor bug fixes are included:
- Fixed a small styling issue with the Admin Navigation evident in Microsoft Edge browser.
- Adjusted the regex matching for stripping BB code to include underscores in closing tags.
Method 2: Install the Patch
Download the patch zip file attached to the end of this message. It contains 4 files:
- library/XenForo/DataWriter.php
- library/XenForo/Install/View/ErrorServer.php
- library/XenForo/ViewAdmin/Error/ServerError.php
- library/XenForo/ViewPublic/Error/ServerError.php
Note that with this method there is no outward indication that the patch has been applied. We recommend upgrading if possible.