XenForo 2.1.15 Patch 1, 2.2.16 Patch 2 and XenForo Media Gallery (Security Fixes) 2.2.18

Name: XenForo 2.1.15 Patch 1, 2.2.16 Patch 2 and XenForo Media Gallery (Security Fixes)
Availability: InStock
Author: axtona

Compatibilité XF

2.2.x

Description courte: Enhance your XenForo security with this quick fix for potential vulnerabilities. All affected customers should upgrade to XenForo 2.1.15 or 2.2.16. For Cloud users, a patch has been automatically applied. Pre-release 2.3 users must follow specific instructions. Manual patching involves editing XF.php and uploading files as per the provided steps for effective security enhancement.

Security Fix

Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16.

If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.

If you are running a pre-release version of XenForo 2.3, you should follow the instructions in the announcement thread for the XenForo 2.3.0 Release Candidate 1 release.

The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.

XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually to any version. See below for further details.

Applying a patch manually

To patch this issue manually you will need to edit one file manually and upload some changed files.

Step 1: Edit

src/XF.php

Find the following line in this file:

PHP:

$parts = explode(':', $string, 3);
Replace that line with the following:

to

PHP:

      if (!$string) return '';
if (strpos($string, ':') === false)
{
$pattern = '#^\\\?'
. str_replace('%s', '([A-Za-z0-9_\\\]+)', preg_quote(ltrim($formatter, '\\')))
. '$#';
if (!preg_match($pattern, $string, $matches))
{
throw new \InvalidArgumentException(sprintf(
 'Class %s does not match formatter pattern %s',
 $string,
$formatter
));
 }
// already a class
return $string;
 }
$parts = explode(':', $string, 3);

Note: This file cannot be patched automatically as it contains install-specific data. You must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue.

Step 2: Upload XF files

Download either 2115-patch.zip (for XenForo 2.1) or 2216-patch.zip (for XenForo 2.2).
Extract the .zip file
Upload the contents of the upload directory to the root of your XenForo installation

Step 3: Upload XFMG files (for XenForo Media Gallery customers only)

Download either xfmg219-patch.zip (for XenForo Media Gallery 2.1) or xfmg226-patch.zip (for XenForo Media Gallery 2.2).
Extract the .zip file
Upload the contents of the upload directory to the root of your XenForo installation

Auteur: axtona

Vues: 390

Type d’extension: zip

Taille du fichier: 576.4 Ko

Première publication: Juin 5, 2024

Dernière mise à jour: Fév. 7, 2026

Évaluations 0.00 étoile(s) 0 évaluations

Rejoindre le fil de discussion (1) Plus d'informations

Lien cassé ? Envoyer un message à l’équipe NP et nous vous aiderons rapidement !

Soutenez le développeur Si vous êtes satisfait du test ou que votre projet vous a rapporté de l’argent, cliquez sur le bouton « Plus d’informations » pour soutenir le développeur en achetant.

Partager cette ressource