CVE-2025-28958 is a high-severity vulnerability classified as CWE-352, indicating a Cross-Site Request Forgery (CSRF) issue in the Bg Orthodox Calendar software developed by Vadim Bogaiskov. The vulnerability affects versions up to 0.13.10. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting a forged request to a web application, potentially causing unintended actions. In this case, the CSRF vulnerability enables a Stored Cross-Site Scripting (XSS) attack, which means that malicious scripts can be permanently stored on the vulnerable application and executed in the context of users’ browsers when they access affected pages. The CVSS 3.1 base score of 7.1 reflects a high severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality, integrity, and availability rated as low to low and low respectively (C:L/I:L/A:L). The scope change (S:C) suggests that the vulnerability affects components beyond the initially vulnerable component, increasing its impact. The vulnerability was published on June 6, 2025, with no known exploits in the wild yet and no available patches at the time of reporting. The Bg Orthodox Calendar is a specialized calendar application, likely used by communities or organizations that follow the Orthodox Christian calendar, which may include religious institutions or cultural organizations. The combination of CSRF and stored XSS can allow attackers to perform unauthorized actions on behalf of users and inject persistent malicious scripts, potentially leading to session hijacking, data theft, or further compromise of user accounts and systems.

For European organizations, especially those with religious, cultural, or community websites using the Bg Orthodox Calendar, this vulnerability poses a significant risk. The stored XSS component can lead to theft of user credentials, session tokens, or other sensitive information, undermining confidentiality. The CSRF aspect allows attackers to perform unauthorized actions, potentially altering calendar data or user settings, impacting integrity. Availability impact is lower but still present if attackers leverage the vulnerability to disrupt services or cause application errors. Given the scope change, the vulnerability could affect multiple components or users beyond the initially targeted ones, amplifying the risk. Organizations in Europe that rely on this calendar for public-facing or internal scheduling may face reputational damage, data breaches, or compliance issues under GDPR if personal data is compromised. The lack of patches increases the urgency for mitigation. Although no exploits are known in the wild yet, the combination of CSRF and stored XSS is attractive for attackers targeting web applications with user interaction, making proactive defense critical.

1. Immediate mitigation should include implementing strict anti-CSRF tokens in all state-changing requests within the Bg Orthodox Calendar application to prevent unauthorized request forgery. 2. Sanitize and validate all user inputs rigorously to prevent stored XSS payloads from being injected and stored in the application database. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the application. 4. Restrict cookie attributes by setting the HttpOnly and Secure flags to protect session cookies from being accessed or transmitted insecurely. 5. Monitor web application logs for unusual or suspicious requests that may indicate exploitation attempts. 6. If possible, isolate the Bg Orthodox Calendar application behind a web application firewall (WAF) configured to detect and block CSRF and XSS attack patterns. 7. Educate users about the risks of clicking on suspicious links or performing actions from untrusted sources while authenticated. 8. Engage with the vendor or community to obtain or expedite patches and updates addressing this vulnerability. 9. Consider temporary disabling or limiting functionality of the calendar application if it cannot be secured promptly, especially on public-facing sites.