Platform
php
Component
xenforo
Fixed in
2.3.5
CVE-2025-71278 describes an OAuth2 scope authorization issue in XenForo. This vulnerability allows OAuth2 client applications to request scopes beyond their intended authorization level, potentially leading to unauthorized data access or actions. This affects XenForo versions 2.3.0 through 2.3.5. The vulnerability is fixed in version 2.3.5.
CVE-2025-71278 in XenForo affects OAuth2 client applications, allowing them to request unauthorized scopes. This means an application, designed to access a limited set of data, could potentially request and obtain access to broader information or functionalities than it should. The risk is significant for any XenForo customer utilizing OAuth2 clients on versions prior to 2.3.5. Successful exploitation could result in the disclosure of confidential information, data manipulation, or even unauthorized administrative access, depending on the scopes requested and the system configuration. The CVSS severity score of 8.8 indicates a high risk, requiring immediate attention.
The vulnerability manifests in how XenForo handles authorization requests from OAuth2 applications. An attacker could create or compromise an OAuth2 application and manipulate its authorization request to include unauthorized scopes. If XenForo does not properly validate these scopes, the application could obtain access to resources it shouldn't. Exploitation requires access to an OAuth2 application and the ability to modify its authorization request. The likelihood of exploitation depends on the prevalence of OAuth2 usage in the XenForo installation and the awareness of application developers regarding this vulnerability.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The solution for CVE-2025-71278 is to upgrade XenForo to version 2.3.5 or higher. This update corrects the vulnerability by properly validating scope requests from OAuth2 client applications. It is highly recommended to perform the upgrade as soon as possible, especially if your forum uses OAuth2 for third-party application authentication or authorization. Before upgrading, it is crucial to create a full backup of your forum’s database and files. Consult the official XenForo documentation for detailed instructions on the upgrade process. Additionally, review the configuration of your OAuth2 applications to ensure they only request the strictly necessary scopes.
Update XenForo to version 2.3.5 or later. This update corrects the vulnerability that allows OAuth2 client applications to request unauthorized scopes.
Vulnerability analysis and critical alerts directly to your inbox.
OAuth2 is an authorization protocol that allows third-party applications to access protected resources on behalf of a user, without the user needing to share their credentials directly with the application.
If a compromised OAuth2 application exploits this vulnerability, it could access user data beyond what it should, potentially compromising their privacy and security.
If you cannot upgrade immediately, consider restricting the scopes that OAuth2 applications can request and closely monitor OAuth2 activity on your forum.
Consult the official XenForo documentation on their website for detailed instructions on how to upgrade to version 2.3.5 or higher.
Currently, there is no specific tool to detect this vulnerability. The only secure way to verify is to confirm that you are using version 2.3.5 or higher of XenForo.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.