TROYANOSYVIRUS
Volver a CVEs

CVE-2025-71278

HIGH
8.8

Descripcion

XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.

Detalles CVE

Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado4/1/2026
Ultima modificacion4/1/2026
Fuentenvd
Avistamientos honeypot0

Productos afectados

xenforo:xenforo

Debilidades (CWE)

CWE-863

Referencias

https://www.vulncheck.com/advisories/xenforo-oauth2-unauthorized-scope-request(disclosure@vulncheck.com)
https://xenforo.com/community/threads/xenforo-2-3-5-includes-security-fix-add-ons-released.228812/(disclosure@vulncheck.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.