VWE-2015-1601 Printable Version

https://www.vaultwiki.org/pages/Book/Documentation/VWE-2015-1601
This page is a chapter in Info Known Vulnerabilities

This page has been seen 317,218 times.

- Created by
  pegasus
  on October 4, 2015
  
  Last updated by
  pegasus
  on April 8, 2018

Common Name Cross-Template Vulnerability
VWE-ID VWE-2015-1601
Related Report None
Severity HIGH
Exploit Difficulty Difficult
Platform XenForo
Description Randomly successful HTML/Javascript injection (success rate: ~1/50000 uncached page views). Does not affect Lite versions.

Discovered October 2, 2015
Resolved October 4, 2015
Patches Available 4.0.6 Patch Level 1
4.0.5 Patch Level 1
4.0.4 Patch Level 1
4.0.3 Patch Level 2
4.0.2 Patch Level 5
4.0.1 Patch Level 8
4.0.0 Patch Level 7
4.0.0 RC 5 Patch Level 6
4.0.0 RC 4 Patch Level 7
Workaround Disable the Template content-type via the Wiki Admin Panel.
The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.

Common Name	Cross-Template Vulnerability
VWE-ID	VWE-2015-1601
Related Report	None
Severity	HIGH
Exploit Difficulty	Difficult
Platform	XenForo
Description	Randomly successful HTML/Javascript injection (success rate: ~1/50000 uncached page views). Does not affect Lite versions.
Discovered	October 2, 2015
Resolved	October 4, 2015
Patches Available	4.0.6 Patch Level 1 4.0.5 Patch Level 1 4.0.4 Patch Level 1 4.0.3 Patch Level 2 4.0.2 Patch Level 5 4.0.1 Patch Level 8 4.0.0 Patch Level 7 4.0.0 RC 5 Patch Level 6 4.0.0 RC 4 Patch Level 7
Workaround	Disable the Template content-type via the Wiki Admin Panel.