CVE-2025-10759
BaseFortify
Publication date: 2025-09-21
Last updated on: 2025-10-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webkul | qloapps | to 1.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Webkul QloApps up to version 1.7.0 in the CSRF Token Handler component. By manipulating the token argument, an attacker can bypass authorization checks remotely, potentially gaining unauthorized access or performing actions without proper permissions. The vulnerability is known and a fix is planned for a future major release.
How can this vulnerability impact me? :
The vulnerability allows an attacker to bypass authorization remotely by manipulating the CSRF token, which could lead to unauthorized actions being performed on the affected system. This could compromise the integrity of the application by allowing attackers to perform operations they should not be able to.