Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server

8.5 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to change a user's password or create users via '/setup_login?sid=', affecting the 'username', 'password', and 'cpassword' parameters.

Basic Information

ID CVE-2025-59891

Source INCIBE

Published Jan 28, 2026 at 11:52

Affected Product

Vendor Flexense

Product Sync Breeze Enterprise Server

Version v10.4.18

Affected Versions Flexense Sync Breeze Enterprise Server v10.4.18
Flexense Disk Pulse Enterprise v10.4.18

CWE Classification

CWE-352

References

www.incibe.es /en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products

{
    "lastseen": "",
    "description": "Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to\u00a0change a user's password or create users via '/setup_login?sid=', affecting the 'username', 'password', and 'cpassword' parameters.",
    "published": "2026-01-28T11:52:15.635Z",
    "modified": "2026-01-28T11:52:15.635Z",
    "type": "cve",
    "title": "Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products",
    "id": "CVE-2025-59891",
    "bulletinFamily": "",
    "cwe": [
        "CWE-352"
    ],
    "cvelist": null,
    "sourceData": "Flexense Sync Breeze Enterprise Server v10.4.18\nFlexense Disk Pulse Enterprise v10.4.18",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Sync Breeze Enterprise Server",
    "version": "v10.4.18",
    "vendor": "Flexense",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server_CVE-2025-59891