Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery.This issue affects Online Food Delivery System: through 19122025. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Authenticated attackers can perform unauthorized state-changing operations in Restajet Online Food Delivery System (all versions through December 19, 2025) by exploiting missing CSRF protections. The vulnerability, disclosed by Turkey's USOM (National Cyber Incident Response Center), carries a CVSS score of 7.1 with high integrity impact, though EPSS modeling indicates only 0.02% exploitation probability (5th percentile). No public exploit identified at time of analysis, and vendor did not respond to disclosure attempts.
Technical ContextAI
This vulnerability stems from CWE-352 (Cross-Site Request Forgery), a weakness in web application session management where the application fails to validate that state-changing requests originated from the legitimate user. The affected product (CPE: cpe:2.3:a:restajet:online_food_delivery_system) is a commercial food ordering platform developed by Restajet Information Technologies Inc. In CSRF attacks, malicious websites or emails trick authenticated users' browsers into submitting forged HTTP requests without proper anti-CSRF tokens or same-site cookie protections. The CVSS vector indicates network-based exploitation (AV:N) with low complexity (AC:L) requiring an authenticated session (PR:L) but no user interaction beyond maintaining the session (UI:N), producing high integrity impact (I:H) with limited confidentiality exposure (C:L) and no availability impact (A:N).
RemediationAI
No vendor-released patch identified at time of analysis, as Restajet Information Technologies Inc. did not respond to vulnerability disclosure. Until vendor remediation becomes available, implement compensating controls: deploy web application firewall rules to enforce anti-CSRF token validation on all state-changing requests (POST, PUT, DELETE operations), configure SameSite=Strict or SameSite=Lax cookie attributes on session cookies to prevent cross-origin request inclusion, implement custom middleware to verify Referer and Origin headers match the application domain, and consider restricting application access to trusted IP ranges via network segmentation. For critical deployments, evaluate migration to alternative food delivery platforms with active security maintenance. Monitor USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0469 and VulDB at https://vuldb.com/?id.337613 for potential vendor updates.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today