CVE-2025-1891
Published: 04 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-1891 is a cross-site request forgery (CSRF) vulnerability, classified as problematic, affecting shishuocms version 1.1. The issue impacts some unknown processing within the software and is associated with CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no required privileges, and user interaction needed.
An attacker can exploit this vulnerability remotely by manipulating a victim into submitting a malicious request, such as via a crafted link or form on a malicious site. No attacker privileges are required, but the victim must be authenticated to shishuocms and interact with the attacker's payload. Successful exploitation enables limited integrity impacts, potentially allowing unauthorized actions on the victim's behalf without affecting confidentiality or availability.
References from VulDB and a GitHub repository document the vulnerability, noting that the exploit has been publicly disclosed and may be used. No specific patches, vendor advisories, or mitigation guidance are detailed in the provided sources.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF vulnerability in public-facing web CMS enables exploitation of public-facing applications to perform unauthorized actions via crafted requests.