Skip to main content

Xenforo CVE-2024-25006

HIGH
Path Traversal (CWE-22)
2024-02-29 cve@mitre.org
8.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 29, 2024 - 01:44 cve.org
HIGH 8.1

DescriptionCVE.org

XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to administer styles, and uses a ZIP archive for Styles Import.

AnalysisAI

XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to administer styles, and uses a ZIP archive for Styles Import. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to administer styles, and uses a ZIP archive for Styles Import. Affected products include: Xenforo. Version information: before 2.2.14.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2024-38458 HIGH POC
8.8 Jun 16

Xenforo before 2.2.16 allows code injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2024-38457 HIGH POC
8.8 Jun 16

Xenforo before 2.2.16 allows CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authen

CVE-2025-71279 CRITICAL
9.3 Apr 01

Authentication bypass in XenForo versions prior to 2.3.7 compromises passkey-based authentication, allowing remote unaut

CVE-2021-43032 MEDIUM POC
4.8 Nov 03

In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertisi

CVE-2025-71281 HIGH
8.7 Apr 01

Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through

CVE-2025-71278 HIGH
8.7 Apr 01

OAuth2 scope enforcement vulnerability in XenForo 2.3.x (prior to 2.3.5) allows authenticated client applications to req

CVE-2025-71282 HIGH
8.7 Apr 01

XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by

CVE-2026-35056 HIGH
8.6 Apr 01

Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbit

CVE-2025-71280 MEDIUM
6.9 Apr 01

XenForo before version 2.3.7 exposes sensitive user account information through improper browser caching of account page

CVE-2026-35057 MEDIUM
5.1 Apr 01

Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious

CVE-2026-35055 MEDIUM
5.1 Apr 01

Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious

CVE-2026-35054 MEDIUM
5.1 Apr 01

Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts throu

Share

CVE-2024-25006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy