CVE-2025-11051
BaseFortify
Publication date: 2025-09-27
Last updated on: 2025-10-03
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mayurik | pet_grooming_management_software | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11051 is a Cross-Site Request Forgery (CSRF) vulnerability in SourceCodester Pet Grooming Management Software version 1.0. It occurs because the software does not require the current admin password to reset the password and lacks proper session validation. This allows an attacker to craft a malicious request that changes the admin password without the admin's consent, effectively hijacking the admin account. The attack requires the victim to have an active session and to visit a malicious page that triggers the CSRF request. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized account takeover by allowing an attacker to reset the admin password without authentication or proper session validation. As a result, the attacker can gain administrative control over the application, potentially leading to unauthorized actions, data manipulation, or further exploitation within the system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring for unauthorized POST requests to the endpoint /admin/change_pass.php with multipart/form-data content that attempts to change the admin password without proper session validation. For example, inspecting web server logs or using tools like curl to simulate or detect such requests. A sample command to test the vulnerability could be a crafted POST request similar to the proof-of-concept: curl -X POST -F 'password=admin@123' -F 'password2=admin@123' -F 'update=Update' https://<target>/admin/change_pass.php. Additionally, monitoring for unexpected password change attempts or unusual admin account activity can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the affected software, especially the /admin/change_pass.php endpoint, to trusted IPs or networks, and ensuring users do not visit untrusted websites while authenticated. Since no known countermeasures or recommended mitigations exist for this vulnerability, replacing or upgrading the affected software version is suggested. Additionally, implementing web application firewall (WAF) rules to block CSRF attempts and enforcing proper session validation and password reset procedures can help mitigate the risk. [2, 1]