Kostenlos scannen
HIGHCVE-2025-71282CVSS 7.5

XenForo Path Disclosure via open_basedir Exceptions

Plattform

php

Komponente

xenforo

Behoben in

2.3.7

AI Confidence: highNVDEPSS 0.0%Geprüft: Mai 2026
Auf NVD ansehen
Speichern

CVE-2025-71282 addresses a vulnerability in XenForo versions 2.3.0 through 2.3.7 that allows attackers to disclose filesystem paths. The vulnerability arises from improper handling of exception messages when open_basedir restrictions are in place. By triggering specific error conditions, an attacker can obtain information about the server's directory structure.

Auswirkungen und Angriffsszenarien

The primary impact of CVE-2025-71282 is information disclosure. An attacker can leverage this vulnerability to map the server's filesystem, potentially identifying sensitive files and directories. While this vulnerability doesn't directly lead to code execution or data breaches, the gained information can be used to plan further attacks, such as privilege escalation or targeted file access. The blast radius includes all XenForo installations running the affected versions.

Ausnutzungskontext

CVE-2025-71282 was published on 2026-04-01. Its presence on KEV or EPSS is unknown. Public proof-of-concept (POC) code is likely available given the nature of the vulnerability. Active campaigns targeting this vulnerability have not been reported, but the ease of exploitation makes it a potential target.

Wer Ist Gefährdetwird übersetzt…

Organizations running XenForo forums, particularly those with custom plugins or extensions, are at risk. Shared hosting environments where multiple XenForo instances share the same server are also particularly vulnerable, as a compromise of one instance could potentially reveal information about other instances.

Erkennungsschrittewird übersetzt…

• php / web:

curl -I https://example.com/index.php?error_trigger=1 2>&1 | grep -i 'document_root'

• php / web: Examine XenForo error logs for patterns revealing filesystem paths, such as /var/www/html/ or /opt/xenforo/. • generic web: Review access logs for requests that trigger exceptions and analyze the corresponding error messages for directory path disclosures.

Angriffszeitlinie

  1. Disclosure

    disclosure

Bedrohungsanalyse

Exploit-Status

Proof of ConceptUnbekannt
CISA KEVNO
Internet-ExponierungHoch
Berichte1 Bedrohungsbericht

EPSS

0.04% (12% Perzentil)

CISA SSVC

Ausnutzungnone
Automatisierbaryes
Technische Auswirkungpartial

CVSS-Vektor

BEDROHUNGSANALYSE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkWie der Angreifer das Ziel erreichtAttack ComplexityLowBedingungen zur erfolgreichen AusnutzungPrivileges RequiredNoneErforderliche AuthentifizierungsstufeUser InteractionNoneOb ein Opfer eine Aktion ausführen mussScopeUnchangedAuswirkungen über die Komponente hinausConfidentialityHighRisiko der Offenlegung sensibler DatenIntegrityNoneRisiko nicht autorisierter DatenänderungAvailabilityNoneRisiko der Dienstunterbrechungnextguardhq.com · CVSS v3.1 Basis-Score
Was bedeuten diese Metriken?
Attack Vector
Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
Attack Complexity
Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
Privileges Required
Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
User Interaction
Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
Scope
Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
Confidentiality
Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
Integrity
Keine — kein Integritätseinfluss.
Availability
Keine — kein Verfügbarkeitseinfluss.

Betroffene Software

Komponentexenforo
HerstellerXenForo
Betroffener BereichBehoben in
2.3.0 – 2.3.72.3.7

Schwachstellen-Klassifikation (CWE)

CWE-209

Zeitleiste

  1. Reserviert
  2. Veröffentlicht
  3. EPSS aktualisiert

Mitigation und Workarounds

The primary mitigation for CVE-2025-71282 is to upgrade to XenForo version 2.3.7 or later. This version includes a fix that prevents the disclosure of filesystem paths. If an immediate upgrade is not possible, consider implementing stricter open_basedir restrictions to limit the potential impact of the vulnerability. Monitor XenForo error logs for unusual activity that might indicate exploitation attempts. After upgrading, confirm the fix by attempting to trigger the vulnerability and verifying that filesystem paths are no longer disclosed in error messages.

So behebenwird übersetzt…

Actualice XenForo a la versión 2.3.7 o posterior. Esta versión corrige la vulnerabilidad de divulgación de rutas. La actualización se puede realizar a través del panel de administración de XenForo.

CVE-Sicherheitsnewsletter

Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.

Häufig gestellte Fragenwird übersetzt…

What is CVE-2025-71282 — Information Disclosure in XenForo?

CVE-2025-71282 is a HIGH severity vulnerability in XenForo versions 2.3.0 through 2.3.7 that allows attackers to expose filesystem paths through exception messages, even with open_basedir restrictions.

Am I affected by CVE-2025-71282 in XenForo?

If you are running XenForo versions 2.3.0 through 2.3.7, you are potentially affected by this vulnerability. Upgrade to version 2.3.7 or later to mitigate the risk.

How do I fix CVE-2025-71282 in XenForo?

The recommended fix is to upgrade XenForo to version 2.3.7 or later. As a temporary workaround, implement a WAF rule to filter exception messages.

Is CVE-2025-71282 being actively exploited?

There is currently no evidence of active exploitation campaigns targeting CVE-2025-71282, but the vulnerability's nature makes it easily exploitable.

Where can I find the official XenForo advisory for CVE-2025-71282?

Please refer to the official XenForo security advisory for detailed information and updates regarding CVE-2025-71282: [https://xenforo.com/security/advisories/]

Ist dein Projekt betroffen?

Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.

Kostenlos scannenCVEs suchen