Login Sign Up

CVE-2025-13119

4.3 MEDIUM
Authentication Bypass CSRF

📋 TL;DR

This CSRF vulnerability in Simple E-Banking System 1.0 allows attackers to trick authenticated users into performing unintended actions, such as forced withdrawals, by luring them to malicious websites. It affects all users of this specific banking software who are logged into their accounts while browsing other sites.

💻 Affected Systems

Products:
  • Fabian Ros/SourceCodester Simple E-Banking System
Versions: 1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.0 are vulnerable; no special configuration required.

📦 What is this software?

Simple E Banking System by Fabian

View all CVEs affecting Simple E Banking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could force authenticated users to transfer funds, modify account settings, or perform other banking transactions without their consent, leading to financial loss.

🟠

Likely Case

Attackers create malicious websites that trigger unauthorized banking transactions when visited by logged-in users, potentially draining accounts.

🟢

If Mitigated

With proper CSRF protections, requests would require valid tokens, preventing unauthorized actions even if users visit malicious sites.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit code is publicly available on GitHub; requires user authentication but no technical expertise to deploy.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider implementing CSRF tokens manually or replacing the software.

🔧 Temporary Workarounds

Implement CSRF Protection

all

Add anti-CSRF tokens to all state-changing requests and validate them server-side.

Use SameSite Cookies

all

Set SameSite=Strict or Lax on session cookies to prevent cross-site requests.

Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

  • Deploy a WAF with CSRF protection rules to block malicious requests
  • Educate users to log out of banking sessions when not actively using them and avoid clicking suspicious links

🔍 How to Verify

Check if Vulnerable:

Check if banking transactions can be triggered via POST requests without CSRF tokens by testing with tools like Burp Suite.

Check Version:

Check application files or admin panel for version 1.0 indication.

Verify Fix Applied:

Verify that all state-changing requests require and validate CSRF tokens, and test with CSRF PoC tools.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed transaction attempts from same IP without user interaction
  • Unusual withdrawal patterns

Network Indicators:

  • HTTP requests to banking endpoints with Referer headers from external domains
  • POST requests without CSRF tokens

SIEM Query:

source="web_logs" AND (uri="/withdraw" OR uri="/transfer") AND referer CONTAINS "external-domain.com"

📊 Metadata

CVE ID: CVE-2025-13119
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-352
EPSS Score: 0.05% exploit probability (16.5th percentile)
Published: November 13, 2025
Last Updated: November 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13119, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)