EUVD-2025-28460
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3Description
Cross-Site Request Forgery (CSRF) vulnerability in Beee TinyNav allows Stored XSS. This issue affects TinyNav: from n/a through 1.4.
Analysis
CVE-2025-52781 is a Cross-Site Request Forgery (CSRF) vulnerability in Beee TinyNav versions up to 1.4 that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads into the application, which are then executed in the browsers of other users who interact with the compromised content. With a CVSS score of 7.1 and network-based attack vector requiring only user interaction, this vulnerability poses a moderate-to-significant risk to affected deployments, particularly if actively exploited in the wild or publicly disclosed with proof-of-concept code.
Technical Context
The vulnerability exists in Beee TinyNav (CPE: cpe:2.3:a:beee:tinynav:*:*:*:*:*:*:*:*), a navigation/menu library/component, affecting versions from an unspecified baseline through version 1.4. The root cause is classified under CWE-352 (Cross-Site Request Forgery), which indicates insufficient CSRF token validation or SameSite cookie protections. The combination with Stored XSS suggests that CSRF protection mechanisms either do not validate state-changing requests or fail to sanitize user-supplied input before storage and rendering. This allows an attacker to forge requests on behalf of authenticated users without their consent, and the stored XSS component indicates that injected payloads persist in the application's database or backend state, bypassing typical reflected XSS mitigations. The vulnerability likely affects web applications that integrate TinyNav without additional server-side input validation, output encoding, or CSRF token implementation.
Affected Products
Beee TinyNav versions 1.4 and earlier (exact introduction version unspecified in available data). CPE identifier: cpe:2.3:a:beee:tinynav:*:*:*:*:*:*:*:* with version constraint <=1.4. No vendor advisory link provided in the source data. Organizations using TinyNav should identify all deployed instances—including direct package installations (npm, composer, etc.) and indirect dependencies in web frameworks. Web applications integrating TinyNav without custom CSRF/XSS defenses are most affected.
Remediation
Immediate remediation steps: (1) Upgrade Beee TinyNav to version 1.5 or later (if available) as a priority—patch version not explicitly stated in provided data, but vendor should publish a fix; contact Beee/project maintainers for patched release; (2) Implement server-side CSRF token validation on all state-changing endpoints using standard library functions (e.g., synchronizer tokens, double-submit cookies with SameSite=Strict); (3) Enforce Content Security Policy (CSP) headers with script-src restrictions to mitigate stored XSS even if CSRF succeeds; (4) Apply output encoding/HTML entity escaping to all user-supplied input before rendering; (5) Enable SameSite cookie attribute (SameSite=Strict or SameSite=Lax) to restrict cross-site request credential submission; (6) Conduct input validation and sanitization at the server layer, not client-side only. Short-term workaround for unpatched systems: disable or isolate TinyNav functionality behind additional authentication layers or IP restrictions until a patch is applied.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today