Scan free
MEDIUMCVE-2025-13296CVSS 5.4

CVE-2025-13296: CSRF in T-Soft E-Commerce

Platform

other

Component

t-soft-e-commerce

Fixed in

28112025.0.1

AI Confidence: mediumNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-13296 describes a Cross-Site Request Forgery (CSRF) vulnerability present in Tekrom Technology Inc.'s T-Soft E-Commerce platform. This vulnerability allows attackers to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or data breaches. The vulnerability impacts versions of T-Soft E-Commerce from 0 through 28112025, and a patch is available in version 28112025.0.1.

Impact and Attack Scenarios

A successful CSRF attack could allow an attacker to modify user accounts, change product prices, place fraudulent orders, or perform other administrative actions as the victim user. The impact is directly tied to the permissions of the compromised user account. For example, an attacker could leverage this vulnerability to escalate privileges if the victim is an administrator. The blast radius is limited to the scope of the user's access within the e-commerce platform. While CSRF typically requires social engineering to trick a user into clicking a malicious link, automated attacks are possible if the attacker can identify predictable URLs or patterns within the application.

Exploitation Context

CVE-2025-13296 was publicly disclosed on December 1, 2025. There is no indication of active exploitation or KEV listing at the time of writing. No public proof-of-concept (PoC) code has been released. The CVSS score is 5.4 (MEDIUM), indicating a moderate level of severity.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (5% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N5.4MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentt-soft-e-commerce
VendorTekrom Technology Inc.
Affected rangeFixed in
0 – 2811202528112025.0.1

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-13296 is to upgrade T-Soft E-Commerce to version 28112025.0.1 or later. If an immediate upgrade is not feasible, consider implementing CSRF protection mechanisms such as synchronizer tokens or double-submit cookies. Web Application Firewalls (WAFs) can be configured to detect and block suspicious CSRF requests based on patterns and anomalies. Review and strengthen user input validation to prevent unexpected behavior. Educate users about the risks of clicking on suspicious links and opening untrusted attachments.

How to fix

Update T-Soft E-Commerce to a version later than 28112025 or apply the patch provided by the vendor. Refer to the vendor's security advisory for detailed instructions on updating or patching. Implement CSRF protection measures in your application.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-13296 — CSRF in T-Soft E-Commerce?

CVE-2025-13296 is a Cross-Site Request Forgery (CSRF) vulnerability allowing attackers to perform unauthorized actions in T-Soft E-Commerce.

Am I affected by CVE-2025-13296 in T-Soft E-Commerce?

You are affected if you are using T-Soft E-Commerce versions 0 through 28112025.

How do I fix CVE-2025-13296 in T-Soft E-Commerce?

Upgrade to version 28112025.0.1 or implement CSRF protection mechanisms like synchronizer tokens.

Is CVE-2025-13296 being actively exploited?

There is currently no evidence of active exploitation.

Where can I find the official T-Soft E-Commerce advisory for CVE-2025-13296?

Refer to the official T-Soft E-Commerce advisory for detailed information and updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs