← back
CVE-2024-38457

CVE-2024-38457

CVSS 8.8 HIGHEPSS 7.4%CWE-352
In short

XenForo before version 2.2.16 is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to trick users into performing unwanted actions on the forum without their knowledge.

Technical detail

This CSRF vulnerability (CWE-352) in XenForo prior to 2.2.16 enables an attacker to forge requests on behalf of authenticated users by embedding malicious actions in external web pages; exploitation requires user interaction (visiting a crafted page while logged in) and can result in unauthorized modifications to forum data or account settings.

Summary generated and translated by AI from the official description.
Xenforo before 2.2.16 allows CSRF.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://seclists.org/fulldisclosure/2024/Jul/11https://xenforo.com/community/threads/xenforo-2-1-15-patch-1-2-2-16-patch-2-and-xenforo-media-gallery-2-1-9-2-2-6-released-includes-security-fixes.222133/