EUVD-2025-28468

| CVE-2025-52793 HIGH
2025-06-20 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28468
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
CVE Published
Jun 20, 2025 - 15:15 nvd
HIGH 7.1

Tags

CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings allows Reflected XSS. This issue affects Esselink.nu Settings: from n/a through 2.94.

Analysis

CVE-2025-52793 is a Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Settings that enables reflected Cross-Site Scripting (XSS) attacks. The vulnerability affects Esselink.nu Settings versions up to and including 2.94, allowing unauthenticated remote attackers to perform actions on behalf of users and inject malicious scripts with minimal user interaction. With a CVSS score of 7.1 and network-based attack vector, this vulnerability poses a moderate-to-significant risk to affected installations, particularly if actively exploited or if public proof-of-concept code becomes available.

Technical Context

This vulnerability combines two distinct vulnerability classes: CSRF (CWE-352) and reflected XSS. The root cause stems from inadequate CSRF token validation and insufficient input sanitization in Esselink.nu Settings web application parameters. Reflected XSS occurs when user-supplied input is echoed back in HTTP responses without proper HTML encoding or output escaping. The vulnerability likely exists in settings pages or administrative interfaces where configuration parameters are processed. The CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates the attack requires network access, low complexity, no privileges, and user interaction (clicking a malicious link). The combination enables attackers to craft URLs containing both CSRF payloads and XSS injections that execute in the victim's browser context when visited.

Affected Products

Esselink.nu Settings: versions from an unspecified baseline through version 2.94 (inclusive). The vulnerability affects all configurations of Esselink.nu Settings in the version range. No CPE string was provided in the source data, but the affected product can be identified as 'Esselink.nu Settings' with version constraint '<=2.94'. Organizations using Esselink.nu Settings should verify their installed version against this threshold. The lack of a specific 'introduced in' version suggests the vulnerability may exist across a wide version range.

Remediation

1. Upgrade Esselink.nu Settings to a version beyond 2.94 immediately (vendor should release patched version 2.95 or later). 2. If immediate patching is not possible, implement Web Application Firewall (WAF) rules to block requests containing common XSS payloads and CSRF attack patterns. 3. Enforce Content Security Policy (CSP) headers to prevent reflected XSS execution. 4. Implement SameSite cookie attributes (SameSite=Strict or SameSite=Lax) to mitigate CSRF attacks. 5. Validate and sanitize all user inputs server-side using allowlists. 6. Ensure all state-changing operations implement anti-CSRF tokens (synchronizer tokens or double-submit cookies) with proper validation. 7. Monitor access logs for suspicious patterns targeting settings pages. Contact Esselink.nu vendor support for specific patch availability and timeline.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

EUVD-2025-28468 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy