CVE-2025-25772

A Cross-Site Request Forgery (CSRF) in the component /back/UserController.java of Jspxcms v9.0 to v9.5 allows attackers to arbitrarily add Administrator accounts via a crafted request.

CVSS v3 5.1 MEDIUM

5.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.yuque.com/u123456789-6sobi/cdgcbq/pkwoqmkamcm9854r?singleDoc#%E3%80%8AjspXcms_csrf%E3%80%8B	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ujcms:jspxcms:*:*:*:*:*:*:*:*

History

09 Jul 2025, 14:43

Type	Values Removed	Values Added
Summary		(es) Cross-Site Request Forgery (CSRF) en el componente /back/UserController.java de Jspxcms v9.0 a v9.5 permite a los atacantes agregar arbitrariamente cuentas de administrador a través de una solicitud manipulada.
CPE		cpe:2.3:a:ujcms:jspxcms::::::::
First Time		Ujcms Ujcms jspxcms
References	~~() https://www.yuque.com/u123456789-6sobi/cdgcbq/pkwoqmkamcm9854r?singleDoc#%E3%80%8AjspXcms_csrf%E3%80%8B -~~	() https://www.yuque.com/u123456789-6sobi/cdgcbq/pkwoqmkamcm9854r?singleDoc#%E3%80%8AjspXcms_csrf%E3%80%8B - Exploit, Third Party Advisory

21 Feb 2025, 22:15

Type	Values Removed	Values Added
CWE		CWE-352
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.1

21 Feb 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-21 19:15

Updated : 2025-07-09 14:43

NVD link : CVE-2025-25772

Mitre link : CVE-2025-25772

CVE.ORG link : CVE-2025-25772

JSON object : View

Products Affected

ujcms

jspxcms

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

5.1 /10