CVE-2025-9747
BaseFortify
Publication date: 2025-08-31
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| benjaminjonard | koillection | to 1.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site request forgery (CSRF) issue found in Koillection up to version 1.6.18. It affects an unknown function in the file assets/controllers/csrf_protection_controller.js. An attacker can remotely exploit this vulnerability to perform unauthorized actions on behalf of an authenticated user. The issue is addressed by upgrading to version 1.7.0, where the CSRF handling was improved by switching to a newer stateless token method.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to trick an authenticated user into executing unwanted actions on the Koillection application without their consent. This could lead to unauthorized operations being performed, potentially compromising the integrity of user actions or data within the application.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Koillection to version 1.7.0, which includes a patch that switches to a newer CSRF handling using stateless tokens to address this vulnerability.