Platform
php
Component
pocvuldb
Fixed in
20250728.0.1
20250728.0.1
CVE-2025-13177 describes a cross-site request forgery (CSRF) vulnerability discovered in Bdtask SalesERP, a PHP-based application. This flaw allows an attacker to trick authenticated users into unknowingly executing malicious actions on their behalf, potentially leading to unauthorized data modification or system compromise. The vulnerability affects versions of SalesERP released prior to 20250728, and a fix is available in version 20250728.0.1.
A successful CSRF attack against Bdtask SalesERP could allow an attacker to perform actions as a logged-in user without their knowledge or consent. This includes modifying data, creating new records, or even potentially gaining administrative access depending on the user's privileges and the application's functionality. The remote nature of the vulnerability means an attacker doesn't need to be on the same network as the target system. Given the public availability of the exploit, the risk of exploitation is elevated, particularly for systems running vulnerable versions of SalesERP.
The vulnerability is publicly disclosed and an exploit is available, significantly increasing the risk of exploitation. The vendor, Bdtask, was contacted but did not respond. This lack of engagement raises concerns about the vendor's responsiveness to security issues. The CVE was published on 2025-11-14.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13177 is to immediately upgrade Bdtask SalesERP to version 20250728.0.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation and output encoding to prevent malicious requests from being processed. Implementing a Content Security Policy (CSP) can also help mitigate CSRF attacks by restricting the sources from which the browser can load resources. Regularly review application logs for suspicious activity.
Update SalesERP to a version later than 20250728 that fixes the CSRF vulnerability. If no version is available, implement CSRF protections in the code, such as CSRF tokens in forms and server-side validation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13177 is a cross-site request forgery (CSRF) vulnerability affecting Bdtask SalesERP versions before 20250728.0.1, allowing attackers to perform actions as authenticated users.
You are affected if you are using Bdtask SalesERP versions prior to 20250728.0.1. Check your version and upgrade immediately if vulnerable.
Upgrade Bdtask SalesERP to version 20250728.0.1 or later. Consider temporary workarounds like input validation and CSP if immediate upgrade is impossible.
Yes, an exploit for CVE-2025-13177 is publicly available, indicating a high risk of active exploitation.
As of the publication date, Bdtask has not released an official advisory. Monitor their website and relevant security forums for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.