Login Sign Up

CVE-2025-11051

4.3 MEDIUM
CSRF

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in SourceCodester Pet Grooming Management Software 1.0. Attackers can trick authenticated users into performing unintended actions by crafting malicious requests. Organizations using this specific software version are affected.

💻 Affected Systems

Products:
  • SourceCodester Pet Grooming Management Software
Versions: 1.0
Operating Systems: Any OS running the web application
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability affects unknown code components within the application. All installations of version 1.0 are vulnerable unless patched.

📦 What is this software?

Pet Grooming Management Software by Mayurik

View all CVEs affecting Pet Grooming Management Software →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could perform administrative actions like creating new user accounts, modifying system settings, or deleting data by tricking an administrator into clicking a malicious link.

🟠

Likely Case

Attackers could modify user data, change settings, or perform unauthorized actions within the grooming management system using authenticated user sessions.

🟢

If Mitigated

With proper CSRF protections and user awareness, the risk is limited to unsuccessful exploitation attempts that are logged and monitored.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires the attacker to trick an authenticated user into interacting with malicious content. No authentication bypass is needed as the attack leverages existing user sessions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for updated version

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

1. Check SourceCodester website for security updates. 2. Apply the latest patch or update to a fixed version. 3. Verify CSRF protections are implemented in the updated code.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to all state-changing requests in the application

SameSite Cookie Attribute

all

Set SameSite=Strict or SameSite=Lax attributes on session cookies

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) with CSRF protection rules
  • Educate users about the risks of clicking unknown links while authenticated

🔍 How to Verify

Check if Vulnerable:

Test if state-changing requests (POST, PUT, DELETE) lack CSRF tokens or other protections

Check Version:

Check application version in admin panel or about page

Verify Fix Applied:

Verify that all state-changing requests now include and validate CSRF tokens

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed state-changing requests from same IP
  • Unusual administrative actions from non-admin users

Network Indicators:

  • Requests lacking referrer headers or CSRF tokens
  • Suspicious redirects to external sites

SIEM Query:

source="web_logs" AND (method="POST" OR method="PUT" OR method="DELETE") AND csrf_token="null"

📊 Metadata

CVE ID: CVE-2025-11051
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-352
EPSS Score: 0.06% exploit probability (17th percentile)
Published: September 27, 2025
Last Updated: October 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11051, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)