EUVD-2025-17670
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
3Tags
Description
Cross-Site Request Forgery (CSRF) vulnerability in uxper Civi Framework allows Cross Site Request Forgery.This issue affects Civi Framework: from n/a through 2.1.6.
Analysis
Cross-Site Request Forgery (CSRF) vulnerability in uxper Civi Framework versions up to 2.1.6 that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability has a CVSS score of 7.1 (High) with high availability impact and integrity impact, though it requires user interaction (UI:R) to exploit. Without confirmed KEV status or EPSS data, the actual exploitation likelihood remains uncertain, but the network-accessible attack vector and low complexity suggest moderate real-world risk for organizations running affected Civi Framework versions.
Technical Context
CSRF vulnerabilities (CWE-352) occur when web applications fail to implement adequate anti-CSRF tokens or validation mechanisms to verify that state-changing requests originate from legitimate users. The uxper Civi Framework, affected from version n/a through 2.1.6, likely lacks proper CSRF protection on critical endpoints. The vulnerability exploits the HTTP stateless nature combined with browser cookie auto-submission—attackers craft malicious requests that execute with the victim's existing session credentials when the user visits a compromised or attacker-controlled webpage. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U) indicates network accessibility with low attack complexity, requiring only user interaction and no special privileges, with impacts scoped to the vulnerable component only.
Affected Products
uxper Civi Framework versions from an unspecified initial version through 2.1.6 inclusive. The CPE string would likely be: cpe:2.3:a:uxper:civi_framework:*:*:*:*:*:*:*:* with version_start_including unspecified and version_end_including 2.1.6. Affected organizations should immediately identify all deployed instances of Civi Framework at versions ≤2.1.6 in their environments. Vendor advisories from uxper should be consulted for any version-specific configuration notes or workarounds. No alternative product names or aliases are mentioned in the provided data.
Remediation
Primary remediation: Upgrade uxper Civi Framework to a version higher than 2.1.6 (contact vendor for next stable release with CSRF protections implemented). Interim mitigations pending patching: (1) Implement CSRF token validation on all state-changing endpoints (POST, PUT, DELETE); (2) Use SameSite cookie attributes (SameSite=Strict or SameSite=Lax) to restrict cross-site cookie transmission; (3) Enforce Content-Security-Policy (CSP) headers to restrict iframe embedding and script execution; (4) Educate users to avoid clicking suspicious links while using the application; (5) Consider WAF rules to detect and block CSRF attack patterns. Consult uxper's official security advisory for patch availability, release dates, and detailed upgrade instructions. No CVE-specific patch link was provided in source data—verify directly with vendor.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today