Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.
AnalysisAI
OAuth2 scope enforcement vulnerability in XenForo 2.3.x (prior to 2.3.5) allows authenticated client applications to request and obtain unauthorized scopes, escalating access beyond intended authorization levels. This authentication bypass flaw (CWE-863) enables malicious OAuth2 clients to gain elevated privileges to user data and platform functions. CVSS 8.7 (High) reflects the network-accessible attack vector with low complexity, though requires low-level privileges (authenticated OAuth client). No public exploit identified at time of analysis, with EPSS data unavailable for recent CVE.
Technical ContextAI
XenForo is a PHP-based forum and community software platform. This vulnerability affects the OAuth2 authorization framework implementation in versions 2.3.0 through 2.3.4. OAuth2 uses scope parameters to define the extent of access granted to client applications (e.g., read-only profile access vs. full account control). The underlying flaw is an authorization enforcement weakness (CWE-863: Incorrect Authorization), where the server fails to properly validate requested scopes against the client's permitted scope whitelist during the authorization flow. This allows a compromised or malicious OAuth2 client application-already registered with limited permissions-to request and receive broader scopes during token exchange, effectively bypassing the principle of least privilege. Affected product per CPE: XenForo versions prior to 2.3.5 (cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*).
RemediationAI
Upgrade immediately to XenForo version 2.3.5, which includes a security patch addressing the OAuth2 scope validation flaw. The vendor released this patch as part of a coordinated security update documented at https://xenforo.com/community/threads/xenforo-2-3-5-includes-security-fix-add-ons-released.228812/. No workarounds are published; patching is the only confirmed mitigation. As an interim risk reduction measure, administrators should audit all registered OAuth2 client applications, revoke credentials for untrusted or unnecessary clients, and review application logs for anomalous scope requests. Post-upgrade, regenerate OAuth2 client secrets as a precautionary measure to invalidate any tokens potentially issued with excessive scopes prior to patching. Detailed security advisory available at https://www.vulncheck.com/advisories/xenforo-oauth2-unauthorized-scope-request.
Authentication bypass in XenForo versions prior to 2.3.7 compromises passkey-based authentication, allowing remote unaut
Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through
XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by
Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbit
XenForo before version 2.3.7 exposes sensitive user account information through improper browser caching of account page
Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious
Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious
Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts throu
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209150
GHSA-499p-g3jm-62mp