CVE-2025-60172 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability identified in the Flytedesk Digital product by flytedesk. This vulnerability allows an attacker to perform unauthorized actions on behalf of an authenticated user without their consent. The CSRF flaw can be exploited to inject stored Cross-Site Scripting (XSS) payloads, which means that malicious scripts can be permanently stored within the application and executed in the context of other users' browsers. The vulnerability affects versions of Flytedesk Digital up to and including the 20181101 release. The CVSS 3.1 base score of 7.1 reflects a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact metrics show low confidentiality (C:L), integrity (I:L), and availability (A:L) impacts, but the combination of CSRF and stored XSS can lead to session hijacking, unauthorized actions, and potential further exploitation. No patches or known exploits in the wild have been reported yet. The vulnerability is categorized under CWE-352, which is a common web application security weakness related to CSRF attacks. The absence of patch links suggests that remediation may not yet be available or publicly disclosed. The vulnerability's exploitation requires tricking a user into performing an action, typically by visiting a maliciously crafted webpage while authenticated to Flytedesk Digital. Stored XSS resulting from this CSRF can lead to persistent compromise of user sessions and data integrity within the affected application.

For European organizations using Flytedesk Digital, this vulnerability poses a significant risk to web application security. The CSRF combined with stored XSS can enable attackers to execute unauthorized commands, manipulate user data, and potentially escalate privileges within the application. This can lead to data leakage, unauthorized transactions, or disruption of services. Given that Flytedesk Digital is a digital platform, organizations relying on it for content management or digital workflows may face operational disruptions and reputational damage if exploited. The vulnerability's ability to affect confidentiality, integrity, and availability, even at low levels individually, combined with the changed scope, means that multiple users and components could be compromised. European organizations are also subject to strict data protection regulations such as GDPR, and exploitation leading to data breaches could result in legal and financial penalties. The lack of available patches increases the urgency for organizations to implement interim mitigations. The requirement for user interaction means that social engineering or phishing campaigns could be used to exploit this vulnerability, increasing the attack surface. Overall, the threat could impact sectors that rely heavily on web-based digital platforms, including media, education, and corporate environments across Europe.

1. Implement strict anti-CSRF tokens in all state-changing requests within Flytedesk Digital to ensure that requests originate from legitimate users and sessions. 2. Employ Content Security Policy (CSP) headers to reduce the impact of stored XSS by restricting the execution of unauthorized scripts. 3. Conduct thorough input validation and output encoding to prevent injection of malicious scripts into stored content. 4. Educate users about phishing and social engineering risks to reduce the likelihood of successful exploitation requiring user interaction. 5. Monitor web application logs for unusual request patterns indicative of CSRF or XSS exploitation attempts. 6. If possible, restrict the use of Flytedesk Digital to trusted networks or VPNs to limit exposure. 7. Engage with flytedesk vendor support to obtain or request patches and updates addressing this vulnerability. 8. Consider implementing Web Application Firewalls (WAF) with rules tailored to detect and block CSRF and XSS attack vectors targeting Flytedesk Digital. 9. Regularly review and update session management policies to minimize session hijacking risks. 10. As a temporary measure, disable or limit functionalities that allow user-generated content until patches are available.