Skip to main content

CVE-2025-49511

| EUVDEUVD-2025-17670 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-06-10 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17670
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 13:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in uxper Civi Framework allows Cross Site Request Forgery.This issue affects Civi Framework: from n/a through 2.1.6.

AnalysisAI

Cross-Site Request Forgery (CSRF) vulnerability in uxper Civi Framework versions up to 2.1.6 that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability has a CVSS score of 7.1 (High) with high availability impact and integrity impact, though it requires user interaction (UI:R) to exploit. Without confirmed KEV status or EPSS data, the actual exploitation likelihood remains uncertain, but the network-accessible attack vector and low complexity suggest moderate real-world risk for organizations running affected Civi Framework versions.

Technical ContextAI

CSRF vulnerabilities (CWE-352) occur when web applications fail to implement adequate anti-CSRF tokens or validation mechanisms to verify that state-changing requests originate from legitimate users. The uxper Civi Framework, affected from version n/a through 2.1.6, likely lacks proper CSRF protection on critical endpoints. The vulnerability exploits the HTTP stateless nature combined with browser cookie auto-submission—attackers craft malicious requests that execute with the victim's existing session credentials when the user visits a compromised or attacker-controlled webpage. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U) indicates network accessibility with low attack complexity, requiring only user interaction and no special privileges, with impacts scoped to the vulnerable component only.

RemediationAI

Primary remediation: Upgrade uxper Civi Framework to a version higher than 2.1.6 (contact vendor for next stable release with CSRF protections implemented). Interim mitigations pending patching: (1) Implement CSRF token validation on all state-changing endpoints (POST, PUT, DELETE); (2) Use SameSite cookie attributes (SameSite=Strict or SameSite=Lax) to restrict cross-site cookie transmission; (3) Enforce Content-Security-Policy (CSP) headers to restrict iframe embedding and script execution; (4) Educate users to avoid clicking suspicious links while using the application; (5) Consider WAF rules to detect and block CSRF attack patterns. Consult uxper's official security advisory for patch availability, release dates, and detailed upgrade instructions. No CVE-specific patch link was provided in source data—verify directly with vendor.

Share

CVE-2025-49511 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy