Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server

8.5 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete commands individually via '/delete_command?sid=', using the 'cid' parameter.

Basic Information

ID CVE-2025-59892

Source INCIBE

Published Jan 28, 2026 at 11:52

Affected Product

Vendor Flexense

Product Sync Breeze Enterprise Server

Version v10.4.18

Affected Versions Flexense Sync Breeze Enterprise Server v10.4.18
Flexense Disk Pulse Enterprise v10.4.18

CWE Classification

CWE-352

References

www.incibe.es /en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products

{
    "lastseen": "",
    "description": "Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to\u00a0delete commands individually via '/delete_command?sid=', using the 'cid' parameter.",
    "published": "2026-01-28T11:52:35.782Z",
    "modified": "2026-01-28T11:52:35.782Z",
    "type": "cve",
    "title": "Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products",
    "id": "CVE-2025-59892",
    "bulletinFamily": "",
    "cwe": [
        "CWE-352"
    ],
    "cvelist": null,
    "sourceData": "Flexense Sync Breeze Enterprise Server v10.4.18\nFlexense Disk Pulse Enterprise v10.4.18",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Sync Breeze Enterprise Server",
    "version": "v10.4.18",
    "vendor": "Flexense",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server_CVE-2025-59892