Webkul QloApps CSRF Token authorization_CVE-2025-10759

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release."

Basic Information

ID CVE-2025-10759

Source VulDB

Published Sep 21, 2025 at 01:02

Affected Product

Vendor Webkul

Product QloApps

Version 1.0

Affected Versions Webkul QloApps 1.0
Webkul QloApps 1.1
Webkul QloApps 1.2
Webkul QloApps 1.3
Webkul QloApps 1.4
Webkul QloApps 1.5
Webkul QloApps 1.6
Webkul QloApps 1.7.0

CWE Classification

CWE-639 CWE-285

References

{
    "lastseen": "",
    "description": "A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: \"As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release.\"",
    "published": "2025-09-21T01:02:06.341Z",
    "modified": "2025-09-21T01:02:06.341Z",
    "type": "cve",
    "title": "Webkul QloApps CSRF Token authorization",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.325114\nhttps://vuldb.com/?ctiid.325114\nhttps://vuldb.com/?submit.645821\nhttps://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-Functionality/blob/main/README.md\nhttps://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-Functionality/blob/main/README.md#proof-of-concept-poc",
    "id": "CVE-2025-10759",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639",
        "CWE-285"
    ],
    "cvelist": null,
    "sourceData": "Webkul QloApps 1.0\nWebkul QloApps 1.1\nWebkul QloApps 1.2\nWebkul QloApps 1.3\nWebkul QloApps 1.4\nWebkul QloApps 1.5\nWebkul QloApps 1.6\nWebkul QloApps 1.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "QloApps",
    "version": "1.0",
    "vendor": "Webkul",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}