CVE-2026-35057：XenForo存储型XSS漏洞，影响2.3.0-2.3.10

XenForo的CVE-2026-35057漏洞影响2.3.10版本之前和2.2.19之前的版本，引入了一种存储型跨站脚本攻击（XSS）漏洞。此漏洞通过结构化文本中的恶意提及进行利用，主要影响旧版个人资料帖子内容。攻击者可以注入恶意脚本，这些脚本存储在系统中并在其他用户查看受影响内容时执行。这可能导致Cookie被盗、重定向到恶意网站或修改页面内容，从而危及论坛的安全性和完整性。影响的严重程度取决于受影响用户的权限以及论坛上公开信息的敏感程度。

Organizations and individuals running XenForo forums, particularly those using older versions (2.3.0 - 2.3.10) or those with legacy profile post content. Shared hosting environments where multiple forums share the same server instance are also at increased risk, as a compromise of one forum could potentially impact others.

• php / web:

curl -I https://example.com/forum/mention.php?id=123 | grep -i 'X-XSS-Protection'

• php / web: Check XenForo version by examining the XF.version variable in the HTML source code. • php / web: Review XenForo forum logs for suspicious activity related to profile post creation and modification, specifically looking for unusual characters or patterns in mention content. • php / web: Use a WAF to monitor for XSS attempts targeting profile post mentions.

1. 2026-04-01Disclosure

   disclosure

1. 已保留2026-04-01
2. 发布日期2026-04-01
3. EPSS 更新日期2026-04-08

减轻CVE-2026-35057的解决方案是将XenForo更新到2.3.10或更高版本，或2.2.19或更高版本。此更新包含解决XSS漏洞的补丁。建议尽快执行更新以防止潜在攻击。此外，建议定期对论坛进行安全审计，以识别和纠正任何潜在漏洞。监控服务器日志以查找可疑活动也有助于检测和响应潜在攻击。