fkie_cve-2025-63711
Vulnerability from fkie_nvd
Published
2025-11-10 15:15
Modified
2025-11-17 18:16
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Summary
A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application's user deletion endpoint (e.g., superadmin_user_delete.php) accepts POST requests containing a user_id parameter and does not enforce request origin or anti-CSRF tokens. Because the endpoint lacks proper authentication/authorization checks and CSRF protections, a remote attacker can craft a malicious page that triggers deletion when visited by an authenticated admin, resulting in arbitrary removal of user accounts.
References
cve@mitre.orghttps://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63711/README3.mdExploit, Mitigation, Third Party Advisory
cve@mitre.orghttps://www.sourcecodester.com/php/17514/client-database-management-system.htmlProduct
Impacted products
Vendor Product Version
lerouxyxchire client_database_management_system 1.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:lerouxyxchire:client_database_management_system:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DFE80DE6-C79F-452F-9523-4EC1F9777DA4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application\u0027s user deletion endpoint (e.g., superadmin_user_delete.php) accepts POST requests containing a user_id parameter and does not enforce request origin or anti-CSRF tokens. Because the endpoint lacks proper authentication/authorization checks and CSRF protections, a remote attacker can craft a malicious page that triggers deletion when visited by an authenticated admin, resulting in arbitrary removal of user accounts."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en el Sistema de Gesti\u00f3n de Base de Datos de Cliente SourceCodester 1.0 permite a un atacante hacer que un usuario administrativo autenticado realice acciones de eliminaci\u00f3n de usuarios sin su consentimiento. El endpoint de eliminaci\u00f3n de usuarios de la aplicaci\u00f3n (por ejemplo, superadmin_user_delete.php) acepta peticiones POST que contienen un par\u00e1metro user_id y no aplica el origen de la petici\u00f3n ni tokens anti-CSRF. Debido a que el endpoint carece de comprobaciones adecuadas de autenticaci\u00f3n/autorizaci\u00f3n y protecciones CSRF, un atacante remoto puede crear una p\u00e1gina maliciosa que activa la eliminaci\u00f3n cuando es visitada por un administrador autenticado, lo que resulta en la eliminaci\u00f3n arbitraria de cuentas de usuario."
    }
  ],
  "id": "CVE-2025-63711",
  "lastModified": "2025-11-17T18:16:51.357",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-10T15:15:38.057",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63711/README3.md"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://www.sourcecodester.com/php/17514/client-database-management-system.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.