anonhaven
Ad

CVE-2024-58342

MEDIUM CVSS 4.0: 5.3 EPSS 0.03%
Updated Apr 01, 2026
Xenforo
Parameter Value
CVSS 5.3 (MEDIUM)
Affected Versions before 2.2.17
Fixed In 2.2.17
Type CWE-601 (Open Redirect)
Vendor Xenforo
Public PoC No

XenForo before 2.2.17 and 2.3.1 allows open redirect via a specially crafted URL. The getDynamicRedirect() function does not adequately validate the redirect target, allowing attackers to redirect users to arbitrary external sites using crafted URLs containing newlines, user credentials, or host mismatches.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Passive
Minimal interaction

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-601 Open Redirect

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Xenforo Xenforo
cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*
 2.2.17
Xenforo Xenforo
cpe:2.3:a:xenforo:xenforo:2.3.0:*:*:*:*:*:*:*

References 2

https://www.vulncheck.com/advisories/xenforo-open-redirect-via-getdynamicredire…
disclosure@vulncheck.com
https://xenforo.com/community/threads/xenforo-2-2-17-released-security-fix.2277…
disclosure@vulncheck.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35056

Xenforo

8.6

CVE-2026-35055

Xenforo

5.1

CVE-2026-35054

Xenforo

5.1

CVE-2025-71282

Xenforo

8.7

CVE-2025-71281

Xenforo

8.7