CVE-2025-28062

{"id": "CVE-2025-28062", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2025-05-05T16:15:51.310", "references": [{"url": "https://github.com/Thvt0ne/CVE-2025-28062", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "https://github.com/frappe/erpnext", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections."}, {"lang": "es", "value": "Se descubri\u00f3 una vulnerabilidad de Cross-Site Request Forgery (CSRF) en ERPNEXT 14.82.1 y 14.74.3. Esta vulnerabilidad permite a un atacante realizar acciones no autorizadas, como la eliminaci\u00f3n de usuarios, el restablecimiento de contrase\u00f1as y la escalada de privilegios, debido a la falta de protecci\u00f3n CSRF."}], "lastModified": "2025-06-17T14:13:04.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frappe:erpnext:14.74.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CF42DBE-9321-4CC3-9093-3CAB462BCDFF"}, {"criteria": "cpe:2.3:a:frappe:erpnext:14.82.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "951326DA-FE7B-4DED-AAC5-F889C79BD830"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}