Skip to main content

CVE-2025-49439: CWE-352 Cross-Site Request Forgery (CSRF) in mariusz88atelierweb Atelier Create CV

Medium
VulnerabilityCVE-2025-49439cvecve-2025-49439cwe-352
Published: Fri Jun 06 2025 (06/06/2025, 12:54:49 UTC)
Source: CVE Database V5
Vendor/Project: mariusz88atelierweb
Product: Atelier Create CV

Description

Cross-Site Request Forgery (CSRF) vulnerability in mariusz88atelierweb Atelier Create CV allows Cross Site Request Forgery. This issue affects Atelier Create CV: from n/a through 1.1.2.

AI-Powered Analysis

AILast updated: 07/08/2025, 02:28:24 UTC

Technical Analysis

CVE-2025-49439 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the web application 'Atelier Create CV' developed by mariusz88atelierweb. This vulnerability affects versions up to 1.1.2, although exact affected versions are not fully enumerated. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting unwanted requests to a web application in which they are currently authenticated. In this case, the vulnerability permits an attacker to perform state-changing actions on behalf of the user without their consent or interaction beyond visiting a malicious page. The CVSS 3.1 base score is 4.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). This means the attacker can exploit the vulnerability remotely without authentication but requires the user to interact with a crafted malicious link or page. The primary impact is limited to integrity, allowing unauthorized modification of user data or actions within the application context. No known exploits in the wild have been reported yet, and no patches or mitigations have been linked at this time. The vulnerability falls under CWE-352, a well-known web security weakness related to insufficient anti-CSRF protections such as missing or ineffective CSRF tokens or referer checks. Given the nature of the product, which is a CV creation tool, the potential for abuse includes unauthorized modification or submission of CV data, which could lead to data integrity issues or reputational damage for affected users.

Potential Impact

For European organizations, the impact of this CSRF vulnerability depends largely on the adoption of the Atelier Create CV application within their environment. Organizations using this tool for employee CV management or recruitment processes could face risks of unauthorized data manipulation, potentially leading to inaccurate personnel records or compromised recruitment workflows. Although the vulnerability does not directly impact confidentiality or availability, integrity violations can undermine trust in HR data and may cause operational disruptions. Additionally, if the application is integrated with other internal systems, the CSRF attack could serve as a pivot point for further exploitation or social engineering attacks. The requirement for user interaction means phishing or social engineering campaigns could be used to exploit this vulnerability, which is a common attack vector in Europe. Given the medium severity, the threat is moderate but should not be overlooked, especially in sectors with strict data integrity requirements such as finance, government, and healthcare. The absence of known exploits suggests that immediate widespread impact is unlikely, but proactive mitigation is recommended to prevent future exploitation.

Mitigation Recommendations

To mitigate this CSRF vulnerability effectively, European organizations should implement or verify the presence of robust anti-CSRF protections in the Atelier Create CV application. This includes ensuring that all state-changing requests require a unique, unpredictable CSRF token that is validated server-side. If the vendor has not yet released a patch, organizations should consider the following practical steps: 1) Restrict access to the application to trusted networks or VPNs to reduce exposure to external attackers; 2) Educate users about the risks of clicking on unsolicited links and implement email filtering to reduce phishing attempts; 3) Employ web application firewalls (WAFs) with rules designed to detect and block CSRF attack patterns; 4) Monitor application logs for unusual or unauthorized requests indicative of CSRF exploitation attempts; 5) If possible, disable or limit functionality that performs sensitive state changes until a vendor patch is available; 6) Engage with the vendor to obtain timelines for patches or updates and apply them promptly once released. Additionally, organizations should review their session management policies to ensure sessions expire appropriately and consider implementing multi-factor authentication to reduce the impact of compromised sessions.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-06-04T15:44:46.228Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6842edde71f4d251b5c88075

Added to database: 6/6/2025, 1:32:14 PM

Last enriched: 7/8/2025, 2:28:24 AM

Last updated: 8/16/2025, 9:35:25 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats