Skip to main content

Esselink.nu Esselink.nu Settings CVE-2025-52793

| EUVDEUVD-2025-28468 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-06-20 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28468
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
CVE Published
Jun 20, 2025 - 15:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings allows Reflected XSS. This issue affects Esselink.nu Settings: from n/a through 2.94.

AnalysisAI

CVE-2025-52793 is a Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Settings that enables reflected Cross-Site Scripting (XSS) attacks. The vulnerability affects Esselink.nu Settings versions up to and including 2.94, allowing unauthenticated remote attackers to perform actions on behalf of users and inject malicious scripts with minimal user interaction. With a CVSS score of 7.1 and network-based attack vector, this vulnerability poses a moderate-to-significant risk to affected installations, particularly if actively exploited or if public proof-of-concept code becomes available.

Technical ContextAI

This vulnerability combines two distinct vulnerability classes: CSRF (CWE-352) and reflected XSS. The root cause stems from inadequate CSRF token validation and insufficient input sanitization in Esselink.nu Settings web application parameters. Reflected XSS occurs when user-supplied input is echoed back in HTTP responses without proper HTML encoding or output escaping. The vulnerability likely exists in settings pages or administrative interfaces where configuration parameters are processed. The CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates the attack requires network access, low complexity, no privileges, and user interaction (clicking a malicious link). The combination enables attackers to craft URLs containing both CSRF payloads and XSS injections that execute in the victim's browser context when visited.

RemediationAI

  1. Upgrade Esselink.nu Settings to a version beyond 2.94 immediately (vendor should release patched version 2.95 or later). 2. If immediate patching is not possible, implement Web Application Firewall (WAF) rules to block requests containing common XSS payloads and CSRF attack patterns. 3. Enforce Content Security Policy (CSP) headers to prevent reflected XSS execution. 4. Implement SameSite cookie attributes (SameSite=Strict or SameSite=Lax) to mitigate CSRF attacks. 5. Validate and sanitize all user inputs server-side using allowlists. 6. Ensure all state-changing operations implement anti-CSRF tokens (synchronizer tokens or double-submit cookies) with proper validation. 7. Monitor access logs for suspicious patterns targeting settings pages. Contact Esselink.nu vendor support for specific patch availability and timeline.

Share

CVE-2025-52793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy