Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security vulnerability has been detected in code-projects Invoice System in Laravel 1.0. This affects an unknown function. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
AnalysisAI
Cross-site request forgery (CSRF) in code-projects Invoice System 1.0 for Laravel allows remote attackers to perform unauthorized actions via crafted requests. The vulnerability requires user interaction (clicking a malicious link) but affects the system's integrity through unvalidated state-changing operations. Exploit code is publicly available, and the CVSS 5.3 score reflects moderate severity with limited integrity impact but no confidentiality or availability harm.
Technical ContextAI
This is a CSRF vulnerability (CWE-352) in a Laravel-based invoice management application. CSRF attacks exploit the trust relationship between a user's browser and a web application by forcing the browser to submit unauthorized requests to the application on behalf of the authenticated user. The vulnerability exists in an unknown function within the Invoice System, suggesting missing CSRF token validation or improper implementation of same-origin policy protections. Laravel provides built-in CSRF middleware (token generation and validation via the _token parameter), but this application either disables it for certain endpoints or fails to apply it correctly. The attack vector is network-based (AV:N) with low complexity (AC:L), and critically requires user interaction (UI:P), typically clicking a link or viewing a malicious webpage while authenticated.
RemediationAI
Apply CSRF protection by ensuring all state-changing endpoints (POST, PUT, DELETE, PATCH) validate Laravel's CSRF token via the middleware stack. The primary fix requires patching the unknown vulnerable function to include CSRF token validation using Laravel's built-in @csrf Blade directive in forms and verifying tokens server-side. No specific patched version is available from vendor sources at time of analysis. As a compensating control, implement SameSite=Strict or SameSite=Lax cookie attribute on session tokens to prevent browsers from sending credentials on cross-origin requests; note this requires users on modern browsers and does not fully replace token validation. Additionally, implement Content Security Policy (CSP) headers to restrict the origins from which forms can be submitted. For immediate risk reduction, disable or restrict access to identified vulnerable invoice endpoints until patches are deployed, though this impacts business functionality.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25805