ToggleME

xF1 Add-on ToggleME 3.1.4

No permission to download
Version 3.1.4 released
Sanitize strings in the option page to avoid XSS injection from the admin side. Thanks to Julien from RCE Security for his POC. I'm quoted him :
"To successfully exploit this vulnerability, a user with rights to add or change user group titles, style titles or category titles must trick another authenticated user with access rights to the administrative panel to visit the affected configuration page of the plugin."​
By the way the version 3.1.3 was never released on XenForo. It adds a mobile postbit option.
731Threads
2,287Messages
63,875Members
waqwaqLatest member
Back