Login Sign Up

CVE-2025-8335

4.3 MEDIUM
Authentication Bypass CSRF

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in Simple Car Rental System 1.0 allows attackers to trick authenticated users into performing unintended actions. This affects all users of the vulnerable software version. The attack can be executed remotely without direct access to the system.

💻 Affected Systems

Products:
  • Simple Car Rental System
Versions: 1.0
Operating Systems: All platforms running the web application
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations of version 1.0 regardless of configuration

📦 What is this software?

Simple Car Rental System by Code Projects

View all CVEs affecting Simple Car Rental System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate car rental records, modify user permissions, or perform administrative actions using victim sessions

🟠

Likely Case

Unauthorized changes to rental bookings, user data manipulation, or session hijacking for limited actions

🟢

If Mitigated

Minimal impact with proper CSRF tokens and same-origin policies in place

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects web applications exposed to the internet
🏢 Internal Only: MEDIUM - Internal users could still be targeted through phishing or compromised internal sites

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

CSRF attacks are well-understood and easy to implement; exploit details are publicly available

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing CSRF protection manually or migrating to alternative software.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to all state-changing forms and validate them server-side

SameSite Cookie Attribute

all

Set SameSite=Strict or SameSite=Lax attributes on session cookies

Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to detect CSRF patterns
  • Restrict application access to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check if forms lack CSRF tokens or if session cookies lack SameSite attributes

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify all forms include unique CSRF tokens and cookies have SameSite attributes set

📡 Detection & Monitoring

Log Indicators:

  • Multiple state-changing requests from same user with different referrers
  • Unusual form submissions without expected parameters

Network Indicators:

  • Requests with missing or predictable CSRF tokens
  • Cross-origin form submissions

SIEM Query:

web_requests WHERE (method = 'POST' OR method = 'PUT') AND referrer NOT CONTAINS hostname AND response_code = 200

📊 Metadata

CVE ID: CVE-2025-8335
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-352
EPSS Score: 0.05% exploit probability (15th percentile)
Published: July 30, 2025
Last Updated: August 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8335, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)