CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-25006: XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to administer styles, and uses a...

8.1 CVSS

Description

XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to administer styles, and uses a ZIP archive for Styles Import.

Classification

CVE ID: CVE-2024-25006

CVSS Base Severity: HIGH

CVSS Base Score: 8.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.3% (probability of being exploited)

EPSS Percentile: 52.68% (scored less or equal to compared to others)

EPSS Date: 2025-06-05 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-25006
https://xenforo.com/docs/xf2/permissions/
https://xenforo.com/tickets/BC37EB98/?v=5da7bd5728
https://xenforo.com/community/threads/xenforo-2-2-14-released.219044/

Timeline

2025-05-07 21:40:14 UTC
CVE

XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to administer styles, and uses a...