JPACookieShop
CVE-2025-8223
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. This affects an unknown part of the file AdminTypeCustController.java. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
AnalysisAI
Cross-site request forgery in jerryshensjf JPACookieShop (蛋糕商城JPA版) allows unauthenticated remote attackers to perform unauthorized actions via crafted requests to AdminTypeCustController.java, requiring user interaction. The vulnerability has a low CVSS score of 2.1 but public exploit code is available; however, the extremely low EPSS percentile (23%) suggests minimal real-world exploitation despite public disclosure.
Technical ContextAI
JPACookieShop is a Java-based e-commerce platform using JPA (Java Persistence API) for data persistence. The vulnerability exists in AdminTypeCustController.java, a Spring MVC controller handling administrative type customer operations. CWE-352 (Cross-Site Request Forgery) indicates the application fails to implement or properly validate anti-CSRF tokens (such as SameSite cookie attributes, CSRF synchronizer tokens, or double-submit cookies) on state-changing operations. The attack vector is network-based (AV:N) with low attack complexity (AC:L) but requires user interaction (UI:P), typically a victim admin clicking a malicious link while authenticated to the application.
RemediationAI
No vendor-released patch identified at time of analysis, as the product does not use semantic versioning and patch status is not documented. The primary remediation is to implement CSRF protections in AdminTypeCustController.java: add CSRF token validation to all state-changing endpoints (POST, PUT, DELETE) using Spring Security's CSRF filter (enabled by default in Spring Boot but must be verified in custom configurations), ensure SameSite=Strict cookie attributes on session cookies, and implement the Spring @EnableWebSecurity with CSRF enabled. Developers should review the public GitHub advisory (https://github.com/Bemcliu/cve-reports/blob/main/cve-06-%E8%9B%8B%E7%B3%95%E5%95%86%E5%9F%8EJPA%E7%89%88-CSRF/readme.md) for specific vulnerable endpoints. If immediate code changes are not feasible, compensating controls include: disable or restrict access to admin panel via IP allowlist (reduces attack surface), implement Content-Security-Policy headers to prevent framing, and enforce multi-factor authentication for admin accounts (mitigates compromised session risk). These controls have moderate operational overhead but significantly reduce CSRF attack feasibility.
Share
External POC / Exploit Code
Leaving vuln.today