CVE-2025-7756
BaseFortify
Publication date: 2025-07-17
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fabian | e-commerce_site | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform unauthorized actions on your behalf within the e-commerce site. For example, attackers can add items to your shopping cart, manipulate order quantities (including setting extremely high quantities), launch inventory denial-of-service attacks, and control the order placement process without your knowledge or consent. These actions compromise the integrity of your account and the e-commerce system. [2, 3]
Can you explain this vulnerability to me?
CVE-2025-7756 is a Cross-Site Request Forgery (CSRF) vulnerability in code-projects E-Commerce Site version 1.0, specifically in the '/cart_add.php' file. The vulnerability occurs because the application does not properly verify whether a request was intentionally made by the authenticated user, lacking CSRF token validation. This allows an attacker to craft malicious webpages that trick authenticated users into submitting unauthorized requests, such as adding items to their shopping cart or manipulating order quantities, without their consent. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or forged POST requests to the '/cart_add.php' endpoint, especially those that manipulate product IDs and quantities without proper CSRF tokens. Network or web server logs can be inspected for suspicious requests lacking CSRF tokens or originating from unexpected referers. Since the vulnerability involves missing CSRF token validation, checking for absence of CSRF tokens in POST requests to '/cart_add.php' is key. Specific commands depend on your environment, but for example, using tools like 'grep' on web server logs to find POST requests to '/cart_add.php' without CSRF tokens, or using intrusion detection systems to flag unusual POST requests, can help detect exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing CSRF token validation by generating and verifying unique tokens for each user session to ensure requests are legitimate. Additionally, restrict requests by validating the 'Referer' or 'Origin' HTTP headers to confirm requests come from trusted sources. Also, validate all input parameters such as product IDs and quantities to prevent manipulation. If patching is not immediately possible, consider replacing the affected product with an alternative to reduce risk. [1, 3]