EUVD-2025-28462

| CVE-2025-52784 HIGH
2025-06-20 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28462
CVE Published
Jun 20, 2025 - 15:15 nvd
HIGH 7.1

Tags

CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in hideoguchi Bluff Post allows Stored XSS. This issue affects Bluff Post: from n/a through 1.1.1.

Analysis

CVE-2025-52784 is a Cross-Site Request Forgery (CSRF) vulnerability in hideoguchi Bluff Post that enables Stored XSS attacks, affecting versions through 1.1.1. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads that execute in victims' browsers when they view affected content, potentially leading to session hijacking, credential theft, or defacement. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world risk.

Technical Context

The vulnerability stems from inadequate CSRF token validation (CWE-352) combined with insufficient input sanitization that allows stored XSS payloads. Bluff Post likely processes user-submitted content without proper token verification on state-changing operations (POST/PUT/DELETE) and fails to encode output contexts, allowing attackers to bypass client-side protections. The CSRF weakness enables an attacker to forge requests from authenticated users, while the stored XSS component persists malicious scripts in the application's database. This dual vulnerability requires the application to validate CSRF tokens on all state-changing requests and implement context-aware output encoding (HTML, JavaScript, URL, CSS contexts) using established libraries or templating engines with auto-escaping.

Affected Products

hideoguchi Bluff Post: versions from n/a (likely 1.0.0 or initial release) through 1.1.1 inclusive. CPE would likely be: cpe:2.3:a:hideoguchi:bluff_post:*:*:*:*:*:*:*:* with version constraints <=1.1.1. No vendor advisory links, CVE references, or official patch URLs provided in source material; recommend checking hideoguchi's GitHub repository, security advisory page, or release notes for patches >=1.1.2.

Remediation

Immediate: Upgrade hideoguchi Bluff Post to version 1.1.2 or later (patch version not explicitly confirmed in provided data; verify with vendor). Interim mitigations if patch unavailable: (1) Implement strict CSRF token validation on all POST/PUT/DELETE endpoints using SameSite=Strict cookies and synchronizer token pattern; (2) Apply context-aware output encoding to all user-submitted content before rendering (use established libraries like DOMPurify for JavaScript contexts, htmlspecialchars() for HTML, or templating engines with auto-escape); (3) Implement Content Security Policy (CSP) with script-src restrictions to limit XSS blast radius; (4) Deploy Web Application Firewall (WAF) rules to detect and block common XSS payloads; (5) Restrict posting permissions to authenticated users only if possible. Contact hideoguchi maintainers for official patch timeline.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

EUVD-2025-28462 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy