Xenforo vs vBulletin vs Invision - history of vulnerabilities (Xenforo the clear winner)

Interesting take!

I go by taste rather than looking up those stats.

Sniff test = if it is buggy the software stinks.

Xenforo usually passes the sniff test!
vB doesn't
Invision is too buggy and doesn't
 
The first one is already fixed and was shipped with 2.2.14 or .15.

The second one is absolutely not a valid vulnerability. Being able to edit advertising HTML is an as-designed feature. It's no secret that if you can edit HTML, you can insert scripts. And with advertising more than anything, we absolutely expect various scripts to be used here - how else would advertising ever be able to work?
 
An admin with access to editing forums can add scripts to forum descriptions too, and can close the forum and add the XSS scripts there too! 😮
 
When comparing vulnerabilities it's worth noting the actual payload e.g. vBulletin's worst data breach not only compromised forum users but also customer accounts including names, addresses, birth dates, security Q&As, email addresses, home page URLs, IM identities, IP addresses and passwords.
 
zappaDPJ said:
When comparing vulnerabilities it's worth noting the actual payload e.g. vBulletin's worst data breach not only compromised forum users but also customer accounts including names, addresses, birth dates, security Q&As, email addresses, home page URLs, IM identities, IP addresses and passwords.
Click to expand...
How recent was that?
 
Update


Security Fix​

Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16.

If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.

If you are running a pre-release version of XenForo 2.3, you should follow the instructions in the announcement thread for the XenForo 2.3.0 Release Candidate 1 release.

The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.

XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually to any version. See below for further details.

[source]

No details were available on SSD SD site.
 
IP.Board had another vulnerability.


SSD Advisory - IP.Board 'nexus' RCE and Blind SQLi - SSD Secure Disclosure

Summary IP.Board e-commerce plugin ‘nexus’ contains two security vulnerabilities that when combined can be used to trigger a pre-auth RCE in AdminCP. Credit An independent security researcher, Egidio Romano from Karma(In)Security, working with SSD Secure Disclosure. Vendor Response The vendor...
ssd-disclosure.com ssd-disclosure.com

Code: 
Summary

IP.Board e-commerce plugin ‘nexus’ contains two security vulnerabilities that when combined can be used to trigger a pre-auth RCE in AdminCP.

Credit

An independent security researcher, Egidio Romano from Karma(In)Security, working with SSD Secure Disclosure.

Vendor Response

The vendor has released a new version of IP.Board with appropriate fixes: https://invisioncommunity.com/release-notes/4716-r128/

Affected Versions

IP.Board version 4.7.15 and prior with ‘nexus’ plugin enabled

CVE

CVE-2024-30162 for the Remote Code Execution
CVE-2024-30163 for the Blind SQL Injection
Technical Analysis

Blind SQL Injection

The vulnerable code is located in the /applications/nexus/modules/front/store/store.php script

Specifically, in the IPS\nexus\modules\front\store_store::_categoryView() method:
 
You must log in or register to reply here.

Similar threads

A
Size of Database Xenforo vs. vBulletin
Replies
6
Views
966
Paul B
Paul B
MstrfBlng
I noticed my Google crawl statistics. Loading speed Xenforo vs vBulletin 5
Replies
0
Views
1K
MstrfBlng
MstrfBlng
J
  • Question Question
Security XenForo vs vBulletin
Replies
14
Views
4K
mistypants
mistypants
V
Speed of xenForo vs vBulletin 3
Replies
8
Views
2K
Mike
Mike
H
  • Question Question
Large forum peformance: XenForo vs vBulletin
2
Replies
25
Views
21K
TPerry
TPerry
Top Bottom