FKIE_CVE-2025-63711

Vulnerability from fkie_nvd - Published: 2025-11-10 15:15 - Updated: 2025-11-17 18:16
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Summary
A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application's user deletion endpoint (e.g., superadmin_user_delete.php) accepts POST requests containing a user_id parameter and does not enforce request origin or anti-CSRF tokens. Because the endpoint lacks proper authentication/authorization checks and CSRF protections, a remote attacker can craft a malicious page that triggers deletion when visited by an authenticated admin, resulting in arbitrary removal of user accounts.
References
cve@mitre.orghttps://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63711/README3.mdExploit, Mitigation, Third Party Advisory
cve@mitre.orghttps://www.sourcecodester.com/php/17514/client-database-management-system.htmlProduct
Impacted products
Vendor Product Version
lerouxyxchire client_database_management_system 1.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:lerouxyxchire:client_database_management_system:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DFE80DE6-C79F-452F-9523-4EC1F9777DA4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application\u0027s user deletion endpoint (e.g., superadmin_user_delete.php) accepts POST requests containing a user_id parameter and does not enforce request origin or anti-CSRF tokens. Because the endpoint lacks proper authentication/authorization checks and CSRF protections, a remote attacker can craft a malicious page that triggers deletion when visited by an authenticated admin, resulting in arbitrary removal of user accounts."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en el Sistema de Gesti\u00f3n de Base de Datos de Cliente SourceCodester 1.0 permite a un atacante hacer que un usuario administrativo autenticado realice acciones de eliminaci\u00f3n de usuarios sin su consentimiento. El endpoint de eliminaci\u00f3n de usuarios de la aplicaci\u00f3n (por ejemplo, superadmin_user_delete.php) acepta peticiones POST que contienen un par\u00e1metro user_id y no aplica el origen de la petici\u00f3n ni tokens anti-CSRF. Debido a que el endpoint carece de comprobaciones adecuadas de autenticaci\u00f3n/autorizaci\u00f3n y protecciones CSRF, un atacante remoto puede crear una p\u00e1gina maliciosa que activa la eliminaci\u00f3n cuando es visitada por un administrador autenticado, lo que resulta en la eliminaci\u00f3n arbitraria de cuentas de usuario."
    }
  ],
  "id": "CVE-2025-63711",
  "lastModified": "2025-11-17T18:16:51.357",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-10T15:15:38.057",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63711/README3.md"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://www.sourcecodester.com/php/17514/client-database-management-system.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.