CVE-2025-9747 (GCVE-0-2025-9747)
Vulnerability from cvelistv5 – Published: 2025-08-31 21:32 – Updated: 2025-09-02 15:12 X_Open Source
VLAI?
Title
Koillection csrf_protection_controller.js cross-site request forgery
Summary
A vulnerability has been found in Koillection up to 1.6.18. Affected is an unknown function of the file assets/controllers/csrf_protection_controller.js. Such manipulation leads to cross-site request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 is able to address this issue. The name of the patch is 9ab8562d3f1e953da93fed63f9ee802c7ea26a9a. It is suggested to upgrade the affected component. The vendor explains: "I ended up switching to a newer CSRF handling using stateless token."
Severity ?
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Koillection |
Affected:
1.6.0
Affected: 1.6.1 Affected: 1.6.2 Affected: 1.6.3 Affected: 1.6.4 Affected: 1.6.5 Affected: 1.6.6 Affected: 1.6.7 Affected: 1.6.8 Affected: 1.6.9 Affected: 1.6.10 Affected: 1.6.11 Affected: 1.6.12 Affected: 1.6.13 Affected: 1.6.14 Affected: 1.6.15 Affected: 1.6.16 Affected: 1.6.17 Affected: 1.6.18 Unaffected: 1.7.0 |
Credits
balejin (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9747",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T14:35:14.764346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T15:12:53.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benjaminjonard/koillection/issues/1393#issuecomment-3217310072"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/benjaminjonard/koillection/issues/1393"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/benjaminjonard/koillection/issues/1393#issue-3347724086"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Koillection",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.6.0"
},
{
"status": "affected",
"version": "1.6.1"
},
{
"status": "affected",
"version": "1.6.2"
},
{
"status": "affected",
"version": "1.6.3"
},
{
"status": "affected",
"version": "1.6.4"
},
{
"status": "affected",
"version": "1.6.5"
},
{
"status": "affected",
"version": "1.6.6"
},
{
"status": "affected",
"version": "1.6.7"
},
{
"status": "affected",
"version": "1.6.8"
},
{
"status": "affected",
"version": "1.6.9"
},
{
"status": "affected",
"version": "1.6.10"
},
{
"status": "affected",
"version": "1.6.11"
},
{
"status": "affected",
"version": "1.6.12"
},
{
"status": "affected",
"version": "1.6.13"
},
{
"status": "affected",
"version": "1.6.14"
},
{
"status": "affected",
"version": "1.6.15"
},
{
"status": "affected",
"version": "1.6.16"
},
{
"status": "affected",
"version": "1.6.17"
},
{
"status": "affected",
"version": "1.6.18"
},
{
"status": "unaffected",
"version": "1.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "balejin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Koillection up to 1.6.18. Affected is an unknown function of the file assets/controllers/csrf_protection_controller.js. Such manipulation leads to cross-site request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 is able to address this issue. The name of the patch is 9ab8562d3f1e953da93fed63f9ee802c7ea26a9a. It is suggested to upgrade the affected component. The vendor explains: \"I ended up switching to a newer CSRF handling using stateless token.\""
},
{
"lang": "de",
"value": "In Koillection bis 1.6.18 ist eine Schwachstelle entdeckt worden. Betroffen hiervon ist ein unbekannter Ablauf der Datei assets/controllers/csrf_protection_controller.js. Mittels dem Manipulieren mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann remote ausgef\u00fchrt werden. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden. Durch ein Upgrade auf Version 1.7.0 kann dieses Problem behoben werden. Der Patch tr\u00e4gt den Namen 9ab8562d3f1e953da93fed63f9ee802c7ea26a9a. Es wird geraten, die betroffene Komponente zu aktualisieren."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-31T21:32:07.963Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-322047 | Koillection csrf_protection_controller.js cross-site request forgery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.322047"
},
{
"name": "VDB-322047 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.322047"
},
{
"name": "Submit #640421 | GitHub koillection 1.6.18 Cross-Site Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.640421"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/benjaminjonard/koillection/issues/1393"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/benjaminjonard/koillection/issues/1393#issuecomment-3217310072"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/benjaminjonard/koillection/issues/1393#issue-3347724086"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benjaminjonard/koillection/commit/9ab8562d3f1e953da93fed63f9ee802c7ea26a9a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benjaminjonard/koillection/releases/tag/1.7.0"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-08-30T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-30T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-30T23:02:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "Koillection csrf_protection_controller.js cross-site request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9747",
"datePublished": "2025-08-31T21:32:07.963Z",
"dateReserved": "2025-08-30T20:57:01.319Z",
"dateUpdated": "2025-09-02T15:12:53.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-9747\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2025-08-31T22:15:32.010\",\"lastModified\":\"2025-09-04T16:46:43.997\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been found in Koillection up to 1.6.18. Affected is an unknown function of the file assets/controllers/csrf_protection_controller.js. Such manipulation leads to cross-site request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 is able to address this issue. The name of the patch is 9ab8562d3f1e953da93fed63f9ee802c7ea26a9a. It is suggested to upgrade the affected component. The vendor explains: \\\"I ended up switching to a newer CSRF handling using stateless token.\\\"\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:benjaminjonard:koillection:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.7.0\",\"matchCriteriaId\":\"05B871CE-B3B6-49E2-85D9-D401F4848F29\"}]}]}],\"references\":[{\"url\":\"https://github.com/benjaminjonard/koillection/commit/9ab8562d3f1e953da93fed63f9ee802c7ea26a9a\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/benjaminjonard/koillection/issues/1393\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/benjaminjonard/koillection/issues/1393#issue-3347724086\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/benjaminjonard/koillection/issues/1393#issuecomment-3217310072\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/benjaminjonard/koillection/releases/tag/1.7.0\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://vuldb.com/?ctiid.322047\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Permissions Required\",\"VDB Entry\"]},{\"url\":\"https://vuldb.com/?id.322047\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://vuldb.com/?submit.640421\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/benjaminjonard/koillection/issues/1393\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/benjaminjonard/koillection/issues/1393#issue-3347724086\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/benjaminjonard/koillection/issues/1393#issuecomment-3217310072\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-9747\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-02T14:35:14.764346Z\"}}}], \"references\": [{\"url\": \"https://github.com/benjaminjonard/koillection/issues/1393#issuecomment-3217310072\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/benjaminjonard/koillection/issues/1393\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/benjaminjonard/koillection/issues/1393#issue-3347724086\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-02T14:35:17.948Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"Koillection csrf_protection_controller.js cross-site request forgery\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"balejin (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 5, \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C\"}}], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"Koillection\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.6.0\"}, {\"status\": \"affected\", \"version\": \"1.6.1\"}, {\"status\": \"affected\", \"version\": \"1.6.2\"}, {\"status\": \"affected\", \"version\": \"1.6.3\"}, {\"status\": \"affected\", \"version\": \"1.6.4\"}, {\"status\": \"affected\", \"version\": \"1.6.5\"}, {\"status\": \"affected\", \"version\": \"1.6.6\"}, {\"status\": \"affected\", \"version\": \"1.6.7\"}, {\"status\": \"affected\", \"version\": \"1.6.8\"}, {\"status\": \"affected\", \"version\": \"1.6.9\"}, {\"status\": \"affected\", \"version\": \"1.6.10\"}, {\"status\": \"affected\", \"version\": \"1.6.11\"}, {\"status\": \"affected\", \"version\": \"1.6.12\"}, {\"status\": \"affected\", \"version\": \"1.6.13\"}, {\"status\": \"affected\", \"version\": \"1.6.14\"}, {\"status\": \"affected\", \"version\": \"1.6.15\"}, {\"status\": \"affected\", \"version\": \"1.6.16\"}, {\"status\": \"affected\", \"version\": \"1.6.17\"}, {\"status\": \"affected\", \"version\": \"1.6.18\"}, {\"status\": \"unaffected\", \"version\": \"1.7.0\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-08-30T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2025-08-30T02:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-08-30T23:02:13.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.322047\", \"name\": \"VDB-322047 | Koillection csrf_protection_controller.js cross-site request forgery\", \"tags\": [\"vdb-entry\"]}, {\"url\": \"https://vuldb.com/?ctiid.322047\", \"name\": \"VDB-322047 | CTI Indicators (IOB, IOC, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.640421\", \"name\": \"Submit #640421 | GitHub koillection 1.6.18 Cross-Site Request Forgery\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/benjaminjonard/koillection/issues/1393\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/benjaminjonard/koillection/issues/1393#issuecomment-3217310072\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/benjaminjonard/koillection/issues/1393#issue-3347724086\", \"tags\": [\"exploit\", \"issue-tracking\"]}, {\"url\": \"https://github.com/benjaminjonard/koillection/commit/9ab8562d3f1e953da93fed63f9ee802c7ea26a9a\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/benjaminjonard/koillection/releases/tag/1.7.0\", \"tags\": [\"patch\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability has been found in Koillection up to 1.6.18. Affected is an unknown function of the file assets/controllers/csrf_protection_controller.js. Such manipulation leads to cross-site request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 is able to address this issue. The name of the patch is 9ab8562d3f1e953da93fed63f9ee802c7ea26a9a. It is suggested to upgrade the affected component. The vendor explains: \\\"I ended up switching to a newer CSRF handling using stateless token.\\\"\"}, {\"lang\": \"de\", \"value\": \"In Koillection bis 1.6.18 ist eine Schwachstelle entdeckt worden. Betroffen hiervon ist ein unbekannter Ablauf der Datei assets/controllers/csrf_protection_controller.js. Mittels dem Manipulieren mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann remote ausgef\\u00fchrt werden. Die Schwachstelle wurde \\u00f6ffentlich offengelegt und k\\u00f6nnte ausgenutzt werden. Durch ein Upgrade auf Version 1.7.0 kann dieses Problem behoben werden. Der Patch tr\\u00e4gt den Namen 9ab8562d3f1e953da93fed63f9ee802c7ea26a9a. Es wird geraten, die betroffene Komponente zu aktualisieren.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"Cross-Site Request Forgery\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-08-31T21:32:07.963Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-9747\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-02T15:12:53.887Z\", \"dateReserved\": \"2025-08-30T20:57:01.319Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2025-08-31T21:32:07.963Z\", \"assignerShortName\": \"VulDB\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…