CVE-2025-49439: CWE-352 Cross-Site Request Forgery (CSRF) in mariusz88atelierweb Atelier Create CV
Cross-Site Request Forgery (CSRF) vulnerability in mariusz88atelierweb Atelier Create CV allows Cross Site Request Forgery. This issue affects Atelier Create CV: from n/a through 1.1.2.
AI Analysis
Technical Summary
CVE-2025-49439 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the web application 'Atelier Create CV' developed by mariusz88atelierweb. This vulnerability affects versions up to 1.1.2, although exact affected versions are not fully enumerated. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting unwanted requests to a web application in which they are currently authenticated. In this case, the vulnerability permits an attacker to perform state-changing actions on behalf of the user without their consent or interaction beyond visiting a malicious page. The CVSS 3.1 base score is 4.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). This means the attacker can exploit the vulnerability remotely without authentication but requires the user to interact with a crafted malicious link or page. The primary impact is limited to integrity, allowing unauthorized modification of user data or actions within the application context. No known exploits in the wild have been reported yet, and no patches or mitigations have been linked at this time. The vulnerability falls under CWE-352, a well-known web security weakness related to insufficient anti-CSRF protections such as missing or ineffective CSRF tokens or referer checks. Given the nature of the product, which is a CV creation tool, the potential for abuse includes unauthorized modification or submission of CV data, which could lead to data integrity issues or reputational damage for affected users.
Potential Impact
For European organizations, the impact of this CSRF vulnerability depends largely on the adoption of the Atelier Create CV application within their environment. Organizations using this tool for employee CV management or recruitment processes could face risks of unauthorized data manipulation, potentially leading to inaccurate personnel records or compromised recruitment workflows. Although the vulnerability does not directly impact confidentiality or availability, integrity violations can undermine trust in HR data and may cause operational disruptions. Additionally, if the application is integrated with other internal systems, the CSRF attack could serve as a pivot point for further exploitation or social engineering attacks. The requirement for user interaction means phishing or social engineering campaigns could be used to exploit this vulnerability, which is a common attack vector in Europe. Given the medium severity, the threat is moderate but should not be overlooked, especially in sectors with strict data integrity requirements such as finance, government, and healthcare. The absence of known exploits suggests that immediate widespread impact is unlikely, but proactive mitigation is recommended to prevent future exploitation.
Mitigation Recommendations
To mitigate this CSRF vulnerability effectively, European organizations should implement or verify the presence of robust anti-CSRF protections in the Atelier Create CV application. This includes ensuring that all state-changing requests require a unique, unpredictable CSRF token that is validated server-side. If the vendor has not yet released a patch, organizations should consider the following practical steps: 1) Restrict access to the application to trusted networks or VPNs to reduce exposure to external attackers; 2) Educate users about the risks of clicking on unsolicited links and implement email filtering to reduce phishing attempts; 3) Employ web application firewalls (WAFs) with rules designed to detect and block CSRF attack patterns; 4) Monitor application logs for unusual or unauthorized requests indicative of CSRF exploitation attempts; 5) If possible, disable or limit functionality that performs sensitive state changes until a vendor patch is available; 6) Engage with the vendor to obtain timelines for patches or updates and apply them promptly once released. Additionally, organizations should review their session management policies to ensure sessions expire appropriately and consider implementing multi-factor authentication to reduce the impact of compromised sessions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Italy, Spain
CVE-2025-49439: CWE-352 Cross-Site Request Forgery (CSRF) in mariusz88atelierweb Atelier Create CV
Description
Cross-Site Request Forgery (CSRF) vulnerability in mariusz88atelierweb Atelier Create CV allows Cross Site Request Forgery. This issue affects Atelier Create CV: from n/a through 1.1.2.
AI-Powered Analysis
Technical Analysis
CVE-2025-49439 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the web application 'Atelier Create CV' developed by mariusz88atelierweb. This vulnerability affects versions up to 1.1.2, although exact affected versions are not fully enumerated. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting unwanted requests to a web application in which they are currently authenticated. In this case, the vulnerability permits an attacker to perform state-changing actions on behalf of the user without their consent or interaction beyond visiting a malicious page. The CVSS 3.1 base score is 4.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). This means the attacker can exploit the vulnerability remotely without authentication but requires the user to interact with a crafted malicious link or page. The primary impact is limited to integrity, allowing unauthorized modification of user data or actions within the application context. No known exploits in the wild have been reported yet, and no patches or mitigations have been linked at this time. The vulnerability falls under CWE-352, a well-known web security weakness related to insufficient anti-CSRF protections such as missing or ineffective CSRF tokens or referer checks. Given the nature of the product, which is a CV creation tool, the potential for abuse includes unauthorized modification or submission of CV data, which could lead to data integrity issues or reputational damage for affected users.
Potential Impact
For European organizations, the impact of this CSRF vulnerability depends largely on the adoption of the Atelier Create CV application within their environment. Organizations using this tool for employee CV management or recruitment processes could face risks of unauthorized data manipulation, potentially leading to inaccurate personnel records or compromised recruitment workflows. Although the vulnerability does not directly impact confidentiality or availability, integrity violations can undermine trust in HR data and may cause operational disruptions. Additionally, if the application is integrated with other internal systems, the CSRF attack could serve as a pivot point for further exploitation or social engineering attacks. The requirement for user interaction means phishing or social engineering campaigns could be used to exploit this vulnerability, which is a common attack vector in Europe. Given the medium severity, the threat is moderate but should not be overlooked, especially in sectors with strict data integrity requirements such as finance, government, and healthcare. The absence of known exploits suggests that immediate widespread impact is unlikely, but proactive mitigation is recommended to prevent future exploitation.
Mitigation Recommendations
To mitigate this CSRF vulnerability effectively, European organizations should implement or verify the presence of robust anti-CSRF protections in the Atelier Create CV application. This includes ensuring that all state-changing requests require a unique, unpredictable CSRF token that is validated server-side. If the vendor has not yet released a patch, organizations should consider the following practical steps: 1) Restrict access to the application to trusted networks or VPNs to reduce exposure to external attackers; 2) Educate users about the risks of clicking on unsolicited links and implement email filtering to reduce phishing attempts; 3) Employ web application firewalls (WAFs) with rules designed to detect and block CSRF attack patterns; 4) Monitor application logs for unusual or unauthorized requests indicative of CSRF exploitation attempts; 5) If possible, disable or limit functionality that performs sensitive state changes until a vendor patch is available; 6) Engage with the vendor to obtain timelines for patches or updates and apply them promptly once released. Additionally, organizations should review their session management policies to ensure sessions expire appropriately and consider implementing multi-factor authentication to reduce the impact of compromised sessions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-06-04T15:44:46.228Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6842edde71f4d251b5c88075
Added to database: 6/6/2025, 1:32:14 PM
Last enriched: 7/8/2025, 2:28:24 AM
Last updated: 8/16/2025, 9:35:25 AM
Views: 17
Related Threats
CVE-2025-9093: Improper Export of Android Application Components in BuzzFeed App
MediumCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.