CVE-2025-66824

HIGH

8.7

Descricao

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Meeting location field of the Create/Edit Conference functionality in TrueConf Server v5.5.2.10813. The injected payload is stored via the meeting_room parameter and executed when users visit the Conference Info page, allowing attackers to achieve full Account Takeover (ATO). This issue is caused by improper sanitization of user-supplied input in the meeting_room field.

Detalhes CVE

Pontuacao CVSS v3.18.7

SeveridadeHIGH

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosLOW

Interacao do usuarioREQUIRED

Publicado12/30/2025

Ultima modificacao1/7/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

trueconf:server

Fraquezas (CWE)

CWE-79

Referencias

https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66824/README.md(cve@mitre.org)

https://trueconf.com(cve@mitre.org)

https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66824/README.md(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.