During routine internal testing, we discovered a security issue within XenForo 1.3 and newer. The issue allows a cross site scripting (XSS) attack to potentially be triggered via a specially crafted profile post. XSS issues may allow an attacker to steal data (including cookies) or force a user to take actions without their consent or knowledge (possibly including administrative actions).
We strongly recommend all XenForo customers follow one of the steps below to resolve this issue.
If you have any questions relating to installing this patch or upgrading to the new version, please post in the Upgrade Support forum.
Method 1: Upgrade to the New Version (Recommended)
You may upgrade to XenForo 1.5.4 (or any subsequent version) to fix this issue. You should upgrade as you would to any other release. If you take this approach, you should not apply the patch below.
Customers with an active license may download this version from their customer area. Full details for how toinstall and upgrade XenForo can be found in the XenForo Manual.
We strongly recommend all XenForo customers follow one of the steps below to resolve this issue.
If you have any questions relating to installing this patch or upgrading to the new version, please post in the Upgrade Support forum.
Method 1: Upgrade to the New Version (Recommended)
You may upgrade to XenForo 1.5.4 (or any subsequent version) to fix this issue. You should upgrade as you would to any other release. If you take this approach, you should not apply the patch below.
Customers with an active license may download this version from their customer area. Full details for how toinstall and upgrade XenForo can be found in the XenForo Manual.
