CVE-2025-49967: CWE-352 Cross-Site Request Forgery (CSRF) in marcusjansen Live Sports Streamthunder
Cross-Site Request Forgery (CSRF) vulnerability in marcusjansen Live Sports Streamthunder allows Cross Site Request Forgery. This issue affects Live Sports Streamthunder: from n/a through 2.1.
AI Analysis
Technical Summary
CVE-2025-49967 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Live Sports Streamthunder application developed by marcusjansen. This vulnerability affects versions up to 2.1, with no specific lower bound version identified. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a forged HTTP request to a web application in which they are currently authenticated. In this case, the vulnerability allows an attacker to perform unauthorized actions on behalf of the user without their consent. The CVSS 3.1 base score is 4.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reveals that the attack can be executed remotely over the network with low attack complexity, requires no privileges, but does require user interaction (such as clicking a malicious link). The vulnerability impacts the integrity of the application by allowing unauthorized state changes or actions but does not affect confidentiality or availability. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability falls under CWE-352, which is a common web application security weakness related to insufficient request validation to prevent CSRF attacks.
Potential Impact
For European organizations using Live Sports Streamthunder, this vulnerability could lead to unauthorized actions being performed on their streaming platform accounts or administrative interfaces if users are tricked into interacting with malicious content. Potential impacts include manipulation of user settings, unauthorized subscription changes, or other state-altering operations that could disrupt service integrity or user experience. While the vulnerability does not directly compromise data confidentiality or availability, the integrity impact could lead to reputational damage, loss of user trust, and potential financial implications if attackers manipulate billing or access controls. Organizations in sectors such as media, sports broadcasting, and entertainment that rely on this software for live streaming services are particularly at risk. The requirement for user interaction limits the attack scope but does not eliminate risk, especially in environments where phishing or social engineering attacks are prevalent. Given the lack of known exploits, the immediate threat is moderate, but the vulnerability should be addressed proactively to prevent future exploitation.
Mitigation Recommendations
To mitigate this CSRF vulnerability effectively, organizations should implement anti-CSRF tokens in all state-changing requests within the Live Sports Streamthunder application. This involves embedding unique, unpredictable tokens in forms and validating them server-side upon request submission. Additionally, enforcing the SameSite attribute on cookies (preferably 'Strict' or 'Lax') can reduce the risk of CSRF by restricting cross-origin requests. Organizations should also ensure that user sessions have appropriate expiration and re-authentication mechanisms for sensitive actions. Monitoring user activity for unusual patterns and educating users about the risks of clicking unsolicited links can further reduce exploitation chances. Since no official patches are currently available, organizations should consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious CSRF attempts targeting this application. Finally, maintaining up-to-date software versions and subscribing to vendor security advisories will facilitate timely application of patches once released.
Affected Countries
Germany, United Kingdom, France, Italy, Spain, Netherlands, Sweden, Belgium, Poland, Austria
CVE-2025-49967: CWE-352 Cross-Site Request Forgery (CSRF) in marcusjansen Live Sports Streamthunder
Description
Cross-Site Request Forgery (CSRF) vulnerability in marcusjansen Live Sports Streamthunder allows Cross Site Request Forgery. This issue affects Live Sports Streamthunder: from n/a through 2.1.
AI-Powered Analysis
Technical Analysis
CVE-2025-49967 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Live Sports Streamthunder application developed by marcusjansen. This vulnerability affects versions up to 2.1, with no specific lower bound version identified. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a forged HTTP request to a web application in which they are currently authenticated. In this case, the vulnerability allows an attacker to perform unauthorized actions on behalf of the user without their consent. The CVSS 3.1 base score is 4.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reveals that the attack can be executed remotely over the network with low attack complexity, requires no privileges, but does require user interaction (such as clicking a malicious link). The vulnerability impacts the integrity of the application by allowing unauthorized state changes or actions but does not affect confidentiality or availability. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability falls under CWE-352, which is a common web application security weakness related to insufficient request validation to prevent CSRF attacks.
Potential Impact
For European organizations using Live Sports Streamthunder, this vulnerability could lead to unauthorized actions being performed on their streaming platform accounts or administrative interfaces if users are tricked into interacting with malicious content. Potential impacts include manipulation of user settings, unauthorized subscription changes, or other state-altering operations that could disrupt service integrity or user experience. While the vulnerability does not directly compromise data confidentiality or availability, the integrity impact could lead to reputational damage, loss of user trust, and potential financial implications if attackers manipulate billing or access controls. Organizations in sectors such as media, sports broadcasting, and entertainment that rely on this software for live streaming services are particularly at risk. The requirement for user interaction limits the attack scope but does not eliminate risk, especially in environments where phishing or social engineering attacks are prevalent. Given the lack of known exploits, the immediate threat is moderate, but the vulnerability should be addressed proactively to prevent future exploitation.
Mitigation Recommendations
To mitigate this CSRF vulnerability effectively, organizations should implement anti-CSRF tokens in all state-changing requests within the Live Sports Streamthunder application. This involves embedding unique, unpredictable tokens in forms and validating them server-side upon request submission. Additionally, enforcing the SameSite attribute on cookies (preferably 'Strict' or 'Lax') can reduce the risk of CSRF by restricting cross-origin requests. Organizations should also ensure that user sessions have appropriate expiration and re-authentication mechanisms for sensitive actions. Monitoring user activity for unusual patterns and educating users about the risks of clicking unsolicited links can further reduce exploitation chances. Since no official patches are currently available, organizations should consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious CSRF attempts targeting this application. Finally, maintaining up-to-date software versions and subscribing to vendor security advisories will facilitate timely application of patches once released.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-06-11T16:07:41.545Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68568e83aded773421b5a922
Added to database: 6/21/2025, 10:50:43 AM
Last enriched: 6/21/2025, 12:36:47 PM
Last updated: 8/14/2025, 7:33:34 AM
Views: 14
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.