Plateforme
php
Composant
pocvuldb
Corrigé dans
20250728.0.1
20250728.0.1
CVE-2025-13177 describes a cross-site request forgery (CSRF) vulnerability discovered in Bdtask SalesERP, a PHP-based application. This flaw allows an attacker to trick authenticated users into unknowingly executing malicious actions on their behalf, potentially leading to unauthorized data modification or system compromise. The vulnerability affects versions of SalesERP released prior to 20250728, and a fix is available in version 20250728.0.1.
A successful CSRF attack against Bdtask SalesERP could allow an attacker to perform actions as a logged-in user without their knowledge or consent. This includes modifying data, creating new records, or even potentially gaining administrative access depending on the user's privileges and the application's functionality. The remote nature of the vulnerability means an attacker doesn't need to be on the same network as the target system. Given the public availability of the exploit, the risk of exploitation is elevated, particularly for systems running vulnerable versions of SalesERP.
The vulnerability is publicly disclosed and an exploit is available, significantly increasing the risk of exploitation. The vendor, Bdtask, was contacted but did not respond. This lack of engagement raises concerns about the vendor's responsiveness to security issues. The CVE was published on 2025-11-14.
Organizations using Bdtask SalesERP, particularly those with publicly accessible instances or those that rely on SalesERP for critical business processes, are at risk. Shared hosting environments where multiple users share the same SalesERP instance are also particularly vulnerable, as an attacker could potentially compromise multiple users through a single CSRF attack.
• php / web: Check SalesERP version by examining the application's version file (typically version.php or similar).
• generic web: Monitor access logs for unusual requests originating from external sources, especially those targeting sensitive endpoints.
• generic web: Implement a Content Security Policy (CSP) to restrict the sources from which the browser can load resources, mitigating CSRF attacks.
• generic web: Use browser developer tools to inspect network requests and identify potential CSRF attempts.
Vulnerability exists in versions prior to 20250728
Fixed version released (20250728.0.1)
CVE published
Exploit publicly available
Statut de l'Exploit
EPSS
0.06% (percentile 20%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-13177 is to immediately upgrade Bdtask SalesERP to version 20250728.0.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation and output encoding to prevent malicious requests from being processed. Implementing a Content Security Policy (CSP) can also help mitigate CSRF attacks by restricting the sources from which the browser can load resources. Regularly review application logs for suspicious activity.
Mettez à jour SalesERP à une version postérieure à 20250728 qui corrige la vulnérabilité CSRF (Cross-Site Request Forgery). Si aucune version n'est disponible, implémentez des protections CSRF dans le code, comme des tokens CSRF dans les formulaires et validation côté serveur.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-13177 is a cross-site request forgery (CSRF) vulnerability affecting Bdtask SalesERP versions before 20250728.0.1, allowing attackers to perform actions as authenticated users.
You are affected if you are using Bdtask SalesERP versions prior to 20250728.0.1. Check your version and upgrade immediately if vulnerable.
Upgrade Bdtask SalesERP to version 20250728.0.1 or later. Consider temporary workarounds like input validation and CSP if immediate upgrade is impossible.
Yes, an exploit for CVE-2025-13177 is publicly available, indicating a high risk of active exploitation.
As of the publication date, Bdtask has not released an official advisory. Monitor their website and relevant security forums for updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.