CVE-2025-11442
BaseFortify
Publication date: 2025-10-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jhumanj | opnform | to 1.9.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site request forgery (CSRF) flaw in JhumanJ OpnForm up to version 1.9.3, specifically in an unknown function of the API Endpoint component. Although the API requires authentication via Authorization Bearer Tokens (JWT), which normally prevents classic CSRF attacks, an attacker could exploit this if they manage to obtain the JWT through other means such as cross-site scripting (XSS). However, XSS vulnerabilities have been mitigated, making initial access difficult. The vulnerability can be exploited remotely, and a public exploit is available.
How can this vulnerability impact me? :
The vulnerability could allow an attacker to perform unauthorized actions on behalf of an authenticated user by exploiting the CSRF flaw if they manage to obtain the user's JWT token. This could lead to limited integrity impact, such as unauthorized changes or actions within the application, but it does not affect confidentiality or availability directly. Since initial access to the JWT is difficult due to mitigations against XSS, the practical impact may be limited but still poses a security risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability is challenging because the vendor states that API calls require authentication through Authorization Bearer Tokens, which mitigates classic CSRF attacks. Since the exploit requires possession of a JWT token (which is protected against initial access), there are no specific commands or straightforward network detection methods provided to identify this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that API endpoints strictly require Authorization Bearer Tokens for authentication, maintaining protections against XSS attacks to prevent attackers from obtaining JWT tokens, and monitoring for any unusual API usage patterns. Since classic CSRF attacks do not apply due to token requirements, focus should be on securing token handling and preventing token theft.