Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in uxper Civi Framework allows Cross Site Request Forgery.This issue affects Civi Framework: from n/a through 2.1.6.
AnalysisAI
Cross-Site Request Forgery (CSRF) vulnerability in uxper Civi Framework versions up to 2.1.6 that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability has a CVSS score of 7.1 (High) with high availability impact and integrity impact, though it requires user interaction (UI:R) to exploit. Without confirmed KEV status or EPSS data, the actual exploitation likelihood remains uncertain, but the network-accessible attack vector and low complexity suggest moderate real-world risk for organizations running affected Civi Framework versions.
Technical ContextAI
CSRF vulnerabilities (CWE-352) occur when web applications fail to implement adequate anti-CSRF tokens or validation mechanisms to verify that state-changing requests originate from legitimate users. The uxper Civi Framework, affected from version n/a through 2.1.6, likely lacks proper CSRF protection on critical endpoints. The vulnerability exploits the HTTP stateless nature combined with browser cookie auto-submission—attackers craft malicious requests that execute with the victim's existing session credentials when the user visits a compromised or attacker-controlled webpage. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U) indicates network accessibility with low attack complexity, requiring only user interaction and no special privileges, with impacts scoped to the vulnerable component only.
RemediationAI
Primary remediation: Upgrade uxper Civi Framework to a version higher than 2.1.6 (contact vendor for next stable release with CSRF protections implemented). Interim mitigations pending patching: (1) Implement CSRF token validation on all state-changing endpoints (POST, PUT, DELETE); (2) Use SameSite cookie attributes (SameSite=Strict or SameSite=Lax) to restrict cross-site cookie transmission; (3) Enforce Content-Security-Policy (CSP) headers to restrict iframe embedding and script execution; (4) Educate users to avoid clicking suspicious links while using the application; (5) Consider WAF rules to detect and block CSRF attack patterns. Consult uxper's official security advisory for patch availability, release dates, and detailed upgrade instructions. No CVE-specific patch link was provided in source data—verify directly with vendor.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17670