CVE-2025-49511

| EUVD-2025-17670 HIGH
2025-06-10 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17670
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 13:15 nvd
HIGH 7.1

Tags

CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in uxper Civi Framework allows Cross Site Request Forgery.This issue affects Civi Framework: from n/a through 2.1.6.

Analysis

Cross-Site Request Forgery (CSRF) vulnerability in uxper Civi Framework versions up to 2.1.6 that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability has a CVSS score of 7.1 (High) with high availability impact and integrity impact, though it requires user interaction (UI:R) to exploit. Without confirmed KEV status or EPSS data, the actual exploitation likelihood remains uncertain, but the network-accessible attack vector and low complexity suggest moderate real-world risk for organizations running affected Civi Framework versions.

Technical Context

CSRF vulnerabilities (CWE-352) occur when web applications fail to implement adequate anti-CSRF tokens or validation mechanisms to verify that state-changing requests originate from legitimate users. The uxper Civi Framework, affected from version n/a through 2.1.6, likely lacks proper CSRF protection on critical endpoints. The vulnerability exploits the HTTP stateless nature combined with browser cookie auto-submission—attackers craft malicious requests that execute with the victim's existing session credentials when the user visits a compromised or attacker-controlled webpage. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U) indicates network accessibility with low attack complexity, requiring only user interaction and no special privileges, with impacts scoped to the vulnerable component only.

Affected Products

uxper Civi Framework versions from an unspecified initial version through 2.1.6 inclusive. The CPE string would likely be: cpe:2.3:a:uxper:civi_framework:*:*:*:*:*:*:*:* with version_start_including unspecified and version_end_including 2.1.6. Affected organizations should immediately identify all deployed instances of Civi Framework at versions ≤2.1.6 in their environments. Vendor advisories from uxper should be consulted for any version-specific configuration notes or workarounds. No alternative product names or aliases are mentioned in the provided data.

Remediation

Primary remediation: Upgrade uxper Civi Framework to a version higher than 2.1.6 (contact vendor for next stable release with CSRF protections implemented). Interim mitigations pending patching: (1) Implement CSRF token validation on all state-changing endpoints (POST, PUT, DELETE); (2) Use SameSite cookie attributes (SameSite=Strict or SameSite=Lax) to restrict cross-site cookie transmission; (3) Enforce Content-Security-Policy (CSP) headers to restrict iframe embedding and script execution; (4) Educate users to avoid clicking suspicious links while using the application; (5) Consider WAF rules to detect and block CSRF attack patterns. Consult uxper's official security advisory for patch availability, release dates, and detailed upgrade instructions. No CVE-specific patch link was provided in source data—verify directly with vendor.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-49511 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy