CVE-2019-25233
Unknown
Unknown - Not Provided
CSRF and XSS in AVE DOMINAplus 1.10.x Enable Admin Takeover
Vulnerability report for CVE-2019-25233, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ave | domina_plus | 1.10 |
| ave | touch_screen_code_ts01 | 1.0.65 |
| ave | touch_screen_code_ts03x-v | 1.10.45a |
| apache | http_server | 2.2.22 |
| ave | web_server_code | 1.10.62 |
| ave | touch_screen_code_ts05 | 1.10.36 |
| php | php | 5.4.41 |
| apache | http_server | 2.4.7 |
| php | php | 5.5.9 |
| php | php | 5.4.36 |
| ave | domina | 1.10.x |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |