CVE-2024-58342 | THREATINT

Description

XenForo before 2.2.17 and 2.3.1 allows open redirect via a specially crafted URL. The getDynamicRedirect() function does not adequately validate the redirect target, allowing attackers to redirect users to arbitrary external sites using crafted URLs containing newlines, user credentials, or host mismatches.

PUBLISHED Reserved 2026-04-01 | Published 2026-04-01 | Updated 2026-04-01 | Assigner VulnCheck

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Problem types

URL Redirection to Untrusted Site ('Open Redirect')

Product status

Any version before 2.2.17

affected

2.3.0 (semver) before 2.3.1

affected

Credits

mattrogowski finder

Jake B. finder

ThemeHouse finder

References

xenforo.com/.../xenforo-2-2-17-released-security-fix.227797/ (XenForo 2.2.17 Released (Security Fix)) vendor-advisory patch

www.vulncheck.com/...ro-open-redirect-via-getdynamicredirect (VulnCheck Advisory: XenForo Open Redirect via getDynamicRedirect) third-party-advisory

cve.org (CVE-2024-58342)

nvd.nist.gov (CVE-2024-58342)

Download JSON