Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings allows Reflected XSS. This issue affects Esselink.nu Settings: from n/a through 2.94.
AnalysisAI
CVE-2025-52793 is a Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Settings that enables reflected Cross-Site Scripting (XSS) attacks. The vulnerability affects Esselink.nu Settings versions up to and including 2.94, allowing unauthenticated remote attackers to perform actions on behalf of users and inject malicious scripts with minimal user interaction. With a CVSS score of 7.1 and network-based attack vector, this vulnerability poses a moderate-to-significant risk to affected installations, particularly if actively exploited or if public proof-of-concept code becomes available.
Technical ContextAI
This vulnerability combines two distinct vulnerability classes: CSRF (CWE-352) and reflected XSS. The root cause stems from inadequate CSRF token validation and insufficient input sanitization in Esselink.nu Settings web application parameters. Reflected XSS occurs when user-supplied input is echoed back in HTTP responses without proper HTML encoding or output escaping. The vulnerability likely exists in settings pages or administrative interfaces where configuration parameters are processed. The CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates the attack requires network access, low complexity, no privileges, and user interaction (clicking a malicious link). The combination enables attackers to craft URLs containing both CSRF payloads and XSS injections that execute in the victim's browser context when visited.
RemediationAI
- Upgrade Esselink.nu Settings to a version beyond 2.94 immediately (vendor should release patched version 2.95 or later). 2. If immediate patching is not possible, implement Web Application Firewall (WAF) rules to block requests containing common XSS payloads and CSRF attack patterns. 3. Enforce Content Security Policy (CSP) headers to prevent reflected XSS execution. 4. Implement SameSite cookie attributes (SameSite=Strict or SameSite=Lax) to mitigate CSRF attacks. 5. Validate and sanitize all user inputs server-side using allowlists. 6. Ensure all state-changing operations implement anti-CSRF tokens (synchronizer tokens or double-submit cookies) with proper validation. 7. Monitor access logs for suspicious patterns targeting settings pages. Contact Esselink.nu vendor support for specific patch availability and timeline.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-28468