CVE-2025-66824

Name of the Vulnerable Software and Affected Versions TrueConf Server version 5.5.2.10813

Description A Stored Cross-Site Scripting (XSS) issue exists in the Meeting location field within the Create/Edit Conference functionality. The issue is due to improper sanitization of user-supplied input in the meeting room parameter. An attacker can inject a malicious payload into the meeting room parameter, which is then stored and executed when users access the Conference Info page. Successful exploitation of this issue can lead to full Account Takeover (ATO).

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting or disabling the Create/Edit Conference functionality until a patch is available.