HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Limited XSS flaw in 2.1 - simple workaround

LincLinc Detroit Admin

In Vanilla 2.1, it may be possible for a user to get Javascript to run on their own profile page IF:

  1. You are using the Profile Extender addon AND...
  2. You have a field precisely named Twitter or Google+

If you are NOT using Profile Extender or simply do not have any fields with those names, you have no issue and do not need to take any action.

The workaround is to name those fields anything else until 2.1.1 is released. The names must be an exact string match on one of the 3 names above for the exploit to be open. Simply adding an underscore or a number on the end of the field label would mitigate it entirely.

To do this, go to Profile Fields in your Dashboard and click "Edit" on the field you wish to change the name of. If you do not have a Profile Fields section in your Dashboard, you are definitely NOT effected by this issue and need take no further action.

Because this flaw has a very small scope with an easy workaround and 2.1.1 is already scheduled for August, we're not expediting the 2.1.1 release further to address it. Please simply make the change above as needed.


  • Options
    LincLinc Detroit Admin

    If you are a developer or don't mind editing code, the patch is here: https://github.com/vanilla/vanilla/commit/d358fbb7131082f4c5e8ce6a5811fe1a3871d263

  • Options
    LincLinc Detroit Admin
    edited July 2014

    If you previously upgraded your Profile Extender addon beyond the 2.1 version (i.e. you grabbed the version off master branch) you should upgrade to the latest version there now or minimally implement the patch on line 185 above - that is the core of the issue. The line number will be different in your version, of course.

Sign In or Register to comment.