Skip to main content

Wallos CVE-2025-60535

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-10-14 cve@mitre.org
7.3
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
4.3 MEDIUM

CSRF inherently needs a logged-in victim to load the request, so UI:R; only currency config integrity is affected (I:L), with no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:53 vuln.today

DescriptionCVE.org

A Cross-Site Request Forgery (CSRF) in the component /endpoints/currency/currency of Wallos v4.1.1 allows attackers to execute arbitrary operations via a crafted GET request.

AnalysisAI

Cross-Site Request Forgery in Wallos v4.1.1 lets remote attackers trick an authenticated user's browser into submitting a crafted GET request to the /endpoints/currency/currency component, performing unwanted currency operations without the victim's consent. The flaw stems from missing anti-CSRF token validation on state-changing requests. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 6th percentile), indicating little observed exploitation interest.

Technical ContextAI

Wallos is an open-source, self-hosted subscription and finance tracking web application (PHP-based, GitHub: ellite/Wallos). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery), a root cause in which the server accepts state-changing requests without verifying an unpredictable, per-session anti-CSRF token or validating the request origin. Because the affected /endpoints/currency/currency action accepts a GET request, any state change it performs can be triggered simply by causing a logged-in victim's browser to load an attacker-controlled URL (e.g., an image tag or link). No CPE strings were supplied by NVD, so exact affected configurations beyond the vendor-stated v4.1.1 cannot be enumerated from the data.

Affected ProductsAI

Wallos version 4.1.1 (open-source self-hosted subscription tracker, upstream at https://github.com/ellite/Wallos/) is the only version explicitly named in the CVE. No CPE strings were provided by NVD, so the precise range of affected or earlier versions cannot be confirmed from the available data; treat v4.1.1 as confirmed vulnerable and earlier releases as likely also affected pending vendor confirmation. Additional third-party analysis is referenced at https://github.com/vityuasd/VulList/blob/main/CVE-2025-60535.md.

RemediationAI

No vendor-released patch or fixed version is identified at time of analysis; the NVD references point only to the project's GitHub repository (https://github.com/ellite/Wallos/) and a third-party write-up (https://github.com/vityuasd/VulList/blob/main/CVE-2025-60535.md), not a tagged patched release. Monitor the Wallos GitHub repository for a fix and upgrade as soon as one is published. In the interim, apply specific compensating controls: place Wallos behind a reverse proxy or WAF that enforces SameSite=Strict (or Lax) session cookies and rejects cross-origin state-changing requests to /endpoints/currency/currency; restrict access to the application to a trusted VPN or internal network to reduce the chance a logged-in user is exposed to attacker-controlled pages; and require re-authentication for sensitive settings changes. The trade-off of SameSite=Strict is that it can break legitimate cross-site navigation flows, and network restriction reduces convenience of remote access - both acceptable given the low impact of this endpoint.

Share

CVE-2025-60535 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy