FKIE_CVE-2025-63710

Vulnerability from fkie_nvd - Published: 2025-11-10 15:15 - Updated: 2025-11-17 18:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page that, when visited by an authenticated user, will automatically submit a forged POST request to the vulnerable endpoint. This request will be executed with the victim's privileges, allowing the attacker to perform unauthorized actions on their behalf, such as sending arbitrary messages in any chat room.
References
cve@mitre.orghttps://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63710/README2.mdExploit, Mitigation, Third Party Advisory
cve@mitre.orghttps://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.htmlProduct
Impacted products
Vendor Product Version
pijey simple_public_chat_room 1.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pijey:simple_public_chat_room:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4333F6E1-DB7B-451F-96FD-437425AFA15A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page that, when visited by an authenticated user, will automatically submit a forged POST request to the vulnerable endpoint. This request will be executed with the victim\u0027s privileges, allowing the attacker to perform unauthorized actions on their behalf, such as sending arbitrary messages in any chat room."
    },
    {
      "lang": "es",
      "value": "El endpoint send_message.php en SourceCodester Simple Public Chat Room 1.0 es vulnerable a falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF). La aplicaci\u00f3n no implementa ning\u00fan mecanismo de protecci\u00f3n contra CSRF, como tokens, nonces o restricciones de cookie de mismo sitio. Un atacante puede crear una p\u00e1gina HTML maliciosa que, cuando es visitada por un usuario autenticado, enviar\u00e1 autom\u00e1ticamente una petici\u00f3n POST falsificada al endpoint vulnerable. Esta petici\u00f3n se ejecutar\u00e1 con los privilegios de la v\u00edctima, permitiendo al atacante realizar acciones no autorizadas en su nombre, como enviar mensajes arbitrarios en cualquier sala de chat."
    }
  ],
  "id": "CVE-2025-63710",
  "lastModified": "2025-11-17T18:18:39.677",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-10T15:15:37.920",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63710/README2.md"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.