xenforo CVE 脆弱性と CVE 一覧(15)

製品(CPE): — CVE 件数: 15

xenforo 脆弱性概要

xenforo 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。

公開された問題は vendor risk cross-site scripting、パス処理の欠陥, and vendor risk csrf に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で vendor impact session compromise and ファイル上書き などの暴露リスクを伴う場合があります。

掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。

脆弱性分布の推移(直近24か月)

表示中 115 / 15 CVE 件数
«« 先頭 « 前へ 1 / 1 次へ »
CVE 概要 ソース CVSS 最大値 EPSS(%) 公開 更新
CVE-2026-35057 XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content. [email protected] 5.1 0.17% 2026-03-31 2026-06-17
CVE-2026-35056 XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server. [email protected] 8.6 0.67% 2026-03-31 2026-06-17
CVE-2026-35055 XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox. [email protected] 5.1 0.15% 2026-03-31 2026-06-17
CVE-2026-35054 XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content. [email protected] 5.1 0.14% 2026-03-31 2026-06-17
CVE-2025-71282 XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allows an attacker to obtain information about the server's directory structure. [email protected] 8.7 0.34% 2026-03-31 2026-06-17
CVE-2025-71281 XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations. [email protected] 8.7 0.33% 2026-03-31 2026-06-17
CVE-2025-71280 XenForo before 2.3.7 allows information disclosure via local account page caching on shared systems. On systems where multiple users share a browser or machine, cached account pages could expose sensitive user information to other local users. [email protected] 6.9 0.12% 2026-03-31 2026-06-17
CVE-2025-71279 XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication. [email protected] 9.3 0.45% 2026-03-31 2026-06-17
CVE-2025-71278 XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level. [email protected] 8.7 0.27% 2026-03-31 2026-06-17
CVE-2024-58342 XenForo before 2.2.17 and 2.3.1 allows open redirect via a specially crafted URL. The getDynamicRedirect() function does not adequately validate the redirect target, allowing attackers to redirect users to arbitrary external sites using crafted URLs containing newlines, user credentials, or host mismatches. [email protected] 5.3 0.15% 2026-03-31 2026-06-17
CVE-2023-53904 Xenforo 2.2.13 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the smilie category title parameter. Attackers can create a smilie category with a malicious script that will execute when the admin panel is loaded, potentially enabling further client-side attacks. [email protected] 5.1 0.22% 2025-12-17 2026-06-17
CVE-2024-38458 Xenforo before 2.2.16 allows code injection. [email protected] 8.8 0.89% 2024-06-16 2026-06-17
CVE-2024-38457 Xenforo before 2.2.16 allows CSRF. [email protected] 8.8 7.41% 2024-06-16 2026-06-17
CVE-2024-25006 XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to administer styles, and uses a ZIP archive for Styles Import. [email protected] 8.1 1.02% 2024-02-28 2026-06-17
CVE-2021-43032 In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side. [email protected] 4.8 0.90% 2021-11-03 2026-06-17
«« 先頭 « 前へ 1 / 1 次へ »
cvelogic Threat Intelligence