Plattform
php
Komponente
galette/galette
Behoben in
1.2.1
CVE-2025-58053 describes a Privilege Escalation vulnerability affecting Galette versions up to 1.2.0. This flaw allows an attacker to elevate their privileges within the Galette application by crafting malicious POST requests during account updates. The vulnerability has been resolved in version 1.2.0, and users are strongly advised to upgrade.
An attacker exploiting this vulnerability could gain unauthorized access to administrative functions and sensitive data within the Galette system. By forging a POST request during an account update, they can effectively bypass access controls and assume a higher privilege level. This could lead to data breaches, modification of user accounts, and potentially complete compromise of the Galette instance. The impact is particularly severe for organizations relying on Galette for managing membership data and sensitive information.
This vulnerability was publicly disclosed on 2025-12-19. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation suggests potential for future attacks.
Non-profit organizations utilizing Galette for membership management are at risk. Specifically, deployments with older versions of Galette (≤ 1.2.0) and those lacking robust input validation on account update forms are particularly vulnerable. Shared hosting environments where multiple Galette instances share resources could also experience broader impact if one instance is compromised.
• wordpress / composer / npm:
grep -r 'POST /account/update' /var/www/galette/app/config/routing.php• generic web:
curl -I http://your-galette-instance/account/update | grep HTTP/1.1 200 OKdisclosure
Exploit-Status
EPSS
0.07% (20% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-58053 is to upgrade Galette to version 1.2.0 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing strict input validation on all account update endpoints to prevent the injection of malicious POST data. Web application firewalls (WAFs) configured to detect and block suspicious POST requests can also provide a temporary layer of protection. After upgrading, verify the fix by attempting an account update with a crafted POST request and confirming that the privilege escalation attempt is blocked.
Actualice Galette a la versión 1.2.0 o superior. Esta versión corrige la vulnerabilidad de escalada de privilegios. La actualización se puede realizar a través del panel de administración de Galette o descargando la nueva versión del sitio web oficial y reemplazando los archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-58053 is a vulnerability in Galette versions prior to 1.2.0 that allows an attacker to gain higher privileges by forging a POST request during account updates.
You are affected if you are running Galette version 1.2.0 or earlier. Upgrade to version 1.2.0 to mitigate the risk.
Upgrade Galette to version 1.2.0 or later. Implement stricter input validation on account update forms as an interim measure.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the Galette project's official security advisories and release notes for details: [https://galette.org/](https://galette.org/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.