CVE-2025-8223
BaseFortify
Publication date: 2025-07-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jerryshensjf | jpacookieshop | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8223 is a Cross-Site Request Forgery (CSRF) vulnerability in the JPACookieShop 蛋糕商城JPA版 application, specifically in the AdminTypeCustController.java file. The vulnerability exists because the backend API endpoint /admin/type_delete does not properly validate requests: it lacks referer header checks, cookie verification, and token-based authentication. This allows an attacker to trick a logged-in user into unknowingly submitting unauthorized requests, potentially manipulating the application remotely without authentication. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to perform unauthorized actions on your application by exploiting the CSRF flaw. Since the application does not verify that requests are intentionally made by authenticated users, attackers can hijack legitimate user sessions to manipulate data or perform actions without the user's consent, compromising the integrity of the application. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring requests to the backend API endpoint `/admin/type_delete` for suspicious or unauthorized POST requests that lack proper CSRF tokens or referer headers. Since the vulnerability involves missing token-based authentication and referer checks, you can use web application security testing tools or intercepting proxies (like Burp Suite) to analyze requests for the absence of CSRF protections. Additionally, checking server logs for unexpected or unauthorized calls to `/admin/type_delete` can help detect exploitation attempts. Specific commands depend on your environment, but for example, using curl to test the endpoint without CSRF tokens: `curl -X POST https://yourserver/admin/type_delete -d "id=somevalue"` to see if the request is accepted without authentication or token verification. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing CSRF protection mechanisms such as adding token-based authentication (CSRF tokens) to the `/admin/type_delete` endpoint, validating the referer header, and verifying cookies to ensure requests are legitimate. Since no known mitigations or countermeasures are currently identified for this product, consider restricting access to the vulnerable endpoint, applying web application firewall (WAF) rules to block suspicious requests, and limiting user permissions to reduce impact. Ultimately, replacing the affected component with an alternative product that includes proper CSRF protections is recommended. [1, 2]