CVE-2025-11051
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-27

Last updated on: 2025-10-03

Assigner: VulDB

Description
A vulnerability has been found in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-27
Last Modified
2025-10-03
Generated
2026-06-16
AI Q&A
2025-09-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11051
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mayurik pet_grooming_management_software 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11051 is a Cross-Site Request Forgery (CSRF) vulnerability in SourceCodester Pet Grooming Management Software version 1.0. It occurs because the software does not require the current admin password to reset the password and lacks proper session validation. This allows an attacker to craft a malicious request that changes the admin password without the admin's consent, effectively hijacking the admin account. The attack requires the victim to have an active session and to visit a malicious page that triggers the CSRF request. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized account takeover by allowing an attacker to reset the admin password without authentication or proper session validation. As a result, the attacker can gain administrative control over the application, potentially leading to unauthorized actions, data manipulation, or further exploitation within the system. [1, 2]

Detection Guidance

Detection can be performed by monitoring for unauthorized POST requests to the endpoint /admin/change_pass.php with multipart/form-data content that attempts to change the admin password without proper session validation. For example, inspecting web server logs or using tools like curl to simulate or detect such requests. A sample command to test the vulnerability could be a crafted POST request similar to the proof-of-concept: curl -X POST -F 'password=admin@123' -F 'password2=admin@123' -F 'update=Update' https://<target>/admin/change_pass.php. Additionally, monitoring for unexpected password change attempts or unusual admin account activity can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected software, especially the /admin/change_pass.php endpoint, to trusted IPs or networks, and ensuring users do not visit untrusted websites while authenticated. Since no known countermeasures or recommended mitigations exist for this vulnerability, replacing or upgrading the affected software version is suggested. Additionally, implementing web application firewall (WAF) rules to block CSRF attempts and enforcing proper session validation and password reset procedures can help mitigate the risk. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11051. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart