CVE-2025-70899

{"id": "CVE-2025-70899", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-70899", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T16:38:31.852195Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "affected": [{"source": "cve@mitre.org", "affectedData": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}]}], "published": "2026-01-22T17:16:28.580", "references": [{"url": "https://github.com/mathavamoorthi/CVE-2025-70899/blob/main/Missing_CSRF_protection_poc.md", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://phpgurukul.com/online-course-registration-free-download/", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "PHPgurukul Online Course Registration v3.1 lacks Cross-Site Request Forgery (CSRF) protection on all administrative forms. An attacker can perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage."}, {"lang": "es", "value": "PHPgurukul Online Course Registration v3.1 carece de protecci\u00f3n contra falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en todos los formularios administrativos. Un atacante puede realizar acciones no autorizadas en nombre de administradores autenticados al enga\u00f1arlos para que visiten una p\u00e1gina web maliciosa."}], "lastModified": "2026-06-17T10:03:27.503", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:phpgurukul:online_course_registration:3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D81E8295-443B-41A0-8E43-C59108EC60D0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}