Skip to main content

Xenforo CVE-2024-38457

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2024-06-16 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 16, 2024 - 15:15 nvd
HIGH 8.8

DescriptionNVD

Xenforo before 2.2.16 allows CSRF.

AnalysisAI

Xenforo before 2.2.16 allows CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Affected products include: Xenforo. Version information: before 2.2.16.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2024-38458 HIGH POC
8.8 Jun 16

Xenforo before 2.2.16 allows code injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2025-71279 CRITICAL
9.3 Apr 01

Authentication bypass in XenForo versions prior to 2.3.7 compromises passkey-based authentication, allowing remote unaut

CVE-2021-43032 MEDIUM POC
4.8 Nov 03

In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertisi

CVE-2025-71281 HIGH
8.7 Apr 01

Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through

CVE-2025-71278 HIGH
8.7 Apr 01

OAuth2 scope enforcement vulnerability in XenForo 2.3.x (prior to 2.3.5) allows authenticated client applications to req

CVE-2025-71282 HIGH
8.7 Apr 01

XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by

CVE-2026-35056 HIGH
8.6 Apr 01

Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbit

CVE-2024-25006 HIGH
8.1 Feb 29

XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to adm

CVE-2025-71280 MEDIUM
6.9 Apr 01

XenForo before version 2.3.7 exposes sensitive user account information through improper browser caching of account page

CVE-2026-35057 MEDIUM
5.1 Apr 01

Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious

CVE-2026-35055 MEDIUM
5.1 Apr 01

Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious

CVE-2026-35054 MEDIUM
5.1 Apr 01

Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts throu

Share

CVE-2024-38457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy