CVE-2025-66824

High CVSS: 8.7

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Meeting location field of the Create/Edit Conference functionality in TrueConf Server v5.5.2.10813. The injected payload is stored via the meeting_room parameter and executed when users visit the Conference Info page, allowing attackers to achieve full Account Takeover (ATO). This issue is caused by improper sanitization of user-supplied input in the meeting_room field.

Vendor

Trueconf

Product

Server

CWE

CWE-79

Yayın Tarihi

2025-12-30 19:15:44

Güncelleme

2026-01-07 15:41:22

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-79 Server HIGH Trueconf 2025

Referanslar

https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66824/README.md https://trueconf.com https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66824/README.md

Benzer Kayıtlar

High

CVE-2026-3502

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is abl…

Medium

CVE-2025-66823

An HTML Injection vulnerability in TrueConf server 5.5.2.10813 in the conference description field allows an attacker to…

High

CVE-2025-66834

A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadshe…

High

CVE-2025-66835

TrueConf Client 8.5.2 is vulnerable to DLL hijacking via crafted wfapi.dll allowing local attackers to execute arbitrary…