Skip to main content

CVE-2025-49967: CWE-352 Cross-Site Request Forgery (CSRF) in marcusjansen Live Sports Streamthunder

Medium
VulnerabilityCVE-2025-49967cvecve-2025-49967cwe-352
Published: Fri Jun 20 2025 (06/20/2025, 15:04:21 UTC)
Source: CVE Database V5
Vendor/Project: marcusjansen
Product: Live Sports Streamthunder

Description

Cross-Site Request Forgery (CSRF) vulnerability in marcusjansen Live Sports Streamthunder allows Cross Site Request Forgery. This issue affects Live Sports Streamthunder: from n/a through 2.1.

AI-Powered Analysis

AILast updated: 06/21/2025, 12:36:47 UTC

Technical Analysis

CVE-2025-49967 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Live Sports Streamthunder application developed by marcusjansen. This vulnerability affects versions up to 2.1, with no specific lower bound version identified. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a forged HTTP request to a web application in which they are currently authenticated. In this case, the vulnerability allows an attacker to perform unauthorized actions on behalf of the user without their consent. The CVSS 3.1 base score is 4.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reveals that the attack can be executed remotely over the network with low attack complexity, requires no privileges, but does require user interaction (such as clicking a malicious link). The vulnerability impacts the integrity of the application by allowing unauthorized state changes or actions but does not affect confidentiality or availability. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability falls under CWE-352, which is a common web application security weakness related to insufficient request validation to prevent CSRF attacks.

Potential Impact

For European organizations using Live Sports Streamthunder, this vulnerability could lead to unauthorized actions being performed on their streaming platform accounts or administrative interfaces if users are tricked into interacting with malicious content. Potential impacts include manipulation of user settings, unauthorized subscription changes, or other state-altering operations that could disrupt service integrity or user experience. While the vulnerability does not directly compromise data confidentiality or availability, the integrity impact could lead to reputational damage, loss of user trust, and potential financial implications if attackers manipulate billing or access controls. Organizations in sectors such as media, sports broadcasting, and entertainment that rely on this software for live streaming services are particularly at risk. The requirement for user interaction limits the attack scope but does not eliminate risk, especially in environments where phishing or social engineering attacks are prevalent. Given the lack of known exploits, the immediate threat is moderate, but the vulnerability should be addressed proactively to prevent future exploitation.

Mitigation Recommendations

To mitigate this CSRF vulnerability effectively, organizations should implement anti-CSRF tokens in all state-changing requests within the Live Sports Streamthunder application. This involves embedding unique, unpredictable tokens in forms and validating them server-side upon request submission. Additionally, enforcing the SameSite attribute on cookies (preferably 'Strict' or 'Lax') can reduce the risk of CSRF by restricting cross-origin requests. Organizations should also ensure that user sessions have appropriate expiration and re-authentication mechanisms for sensitive actions. Monitoring user activity for unusual patterns and educating users about the risks of clicking unsolicited links can further reduce exploitation chances. Since no official patches are currently available, organizations should consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious CSRF attempts targeting this application. Finally, maintaining up-to-date software versions and subscribing to vendor security advisories will facilitate timely application of patches once released.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-06-11T16:07:41.545Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68568e83aded773421b5a922

Added to database: 6/21/2025, 10:50:43 AM

Last enriched: 6/21/2025, 12:36:47 PM

Last updated: 8/14/2025, 7:33:34 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats