Skip to main content

CVE-2025-53338: CWE-352 Cross-Site Request Forgery (CSRF) in dor re.place

High
VulnerabilityCVE-2025-53338cvecve-2025-53338cwe-352
Published: Fri Jun 27 2025 (06/27/2025, 13:21:44 UTC)
Source: CVE Database V5
Vendor/Project: dor
Product: re.place

Description

Cross-Site Request Forgery (CSRF) vulnerability in dor re.place allows Stored XSS. This issue affects re.place: from n/a through 0.2.1.

AI-Powered Analysis

AILast updated: 06/27/2025, 13:55:27 UTC

Technical Analysis

CVE-2025-53338 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability identified in the software product 're.place' developed by the vendor 'dor'. This vulnerability is classified under CWE-352, which pertains to CSRF attacks. The issue affects versions up to 0.2.1, although the exact range of affected versions is not fully specified. The vulnerability allows an attacker to perform unauthorized actions on behalf of an authenticated user without their consent. Specifically, this CSRF flaw enables the injection of Stored Cross-Site Scripting (XSS) payloads, which means that malicious scripts can be permanently stored on the target server and executed in the context of users visiting the affected application. The CVSS v3.1 base score is 7.1, indicating a high severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be performed remotely over the network without privileges or authentication, requires low attack complexity, but does require user interaction (such as clicking a crafted link). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes low confidentiality loss, low integrity loss, and low availability loss, but combined with the stored XSS, the overall risk is significant. No patches or known exploits in the wild have been reported at the time of publication (June 27, 2025).

Potential Impact

For European organizations using the 're.place' software, this vulnerability poses a significant risk. The ability to exploit CSRF to inject stored XSS payloads can lead to session hijacking, credential theft, unauthorized actions, and potential lateral movement within the network. Confidentiality and integrity of user data can be compromised, and availability may be affected if attackers use the vulnerability to disrupt services. Given the remote exploitability without authentication, attackers can target users through phishing or malicious websites to trigger the CSRF attack. Organizations in sectors with high reliance on web applications, such as finance, healthcare, and government, could face data breaches, reputational damage, and regulatory penalties under GDPR if personal data is exposed or manipulated. The stored XSS aspect increases the persistence and impact of the attack, as malicious scripts can affect multiple users over time.

Mitigation Recommendations

To mitigate this vulnerability, organizations should implement anti-CSRF tokens in all state-changing requests within the 're.place' application to ensure that requests are legitimate and originate from authenticated users. Additionally, input validation and output encoding should be enforced rigorously to prevent stored XSS payloads from being injected or executed. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting the sources from which scripts can be loaded. Organizations should monitor and audit user actions and logs for unusual activities that may indicate exploitation attempts. Since no official patches are currently available, consider applying virtual patching via Web Application Firewalls (WAFs) configured to detect and block CSRF and XSS attack patterns targeting 're.place'. User education on phishing and safe browsing practices can reduce the likelihood of successful user interaction required for exploitation. Finally, maintain an incident response plan to quickly address any detected exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-06-27T11:59:29.325Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 685ea034f6cf9081996a7a2d

Added to database: 6/27/2025, 1:44:20 PM

Last enriched: 6/27/2025, 1:55:27 PM

Last updated: 8/18/2025, 4:17:28 AM

Views: 30

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats