平台
php
组件
critical-security-vulnerability-report-csrf-forced-withdrawal
修复版本
1.0.1
1.0.1
CVE-2025-13119 describes a cross-site request forgery (CSRF) vulnerability discovered in Simple E-Banking System versions 1.0 through 1.0. This flaw allows attackers to trick authenticated users into performing unintended actions, potentially leading to unauthorized financial transactions. A fix is available in version 1.0.1, and immediate patching is recommended.
A successful CSRF attack against Simple E-Banking System could allow an attacker to initiate unauthorized fund transfers, modify account details, or perform other sensitive actions on behalf of a legitimate user. The attack is initiated remotely, meaning an attacker doesn't need direct access to the server. The published exploit significantly increases the risk of exploitation, as attackers can readily leverage it to target vulnerable systems. The blast radius extends to any user of the affected Simple E-Banking System, particularly those who regularly access the system through web browsers.
The exploit for CVE-2025-13119 has been publicly published, indicating a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Given the availability of a public exploit, organizations should prioritize patching to prevent potential attacks. Active campaigns targeting this vulnerability are possible, though no confirmed instances are publicly available at this time.
Small to medium-sized businesses and organizations that rely on Simple E-Banking System for their financial transactions are at significant risk. Specifically, those using the vulnerable versions 1.0–1.0 without proper security controls, such as WAFs or input validation, are particularly susceptible to exploitation.
• generic web:
curl -I <banking_system_url> | grep -i 'csrf-token'• generic web:
grep -r 'csrf_token' /var/www/html/disclosure
漏洞利用状态
EPSS
0.07% (22% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-13119 is to upgrade to version 1.0.1 of Simple E-Banking System. If upgrading immediately is not feasible, implement temporary mitigations such as implementing strict input validation on all user-supplied data and employing a Web Application Firewall (WAF) with CSRF protection rules. Consider adding a SameSite cookie attribute to prevent cross-site requests. Regularly review and update security configurations to minimize the attack surface. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack via a testing tool.
升级到已修复 Simple E-Banking System 的版本,以解决 CSRF 漏洞。如果尚无已修复的版本可用,请在系统所有敏感操作中实施 CSRF 保护措施,例如 CSRF token。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13119 is a cross-site request forgery (CSRF) vulnerability affecting Simple E-Banking System versions 1.0–1.0, allowing attackers to perform unauthorized actions.
You are affected if you are using Simple E-Banking System versions 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. If immediate upgrade is not possible, implement WAF rules and input validation as temporary mitigations.
The exploit is publicly available, increasing the likelihood of exploitation. Active campaigns are possible but not confirmed.
Refer to the vendor's website or security advisories for the latest information on CVE-2025-13119 and Simple E-Banking System.