The CVE-2025-66531 vulnerability is a Cross-Site Request Forgery (CSRF) issue found in the Dimitri Grassi Salon booking system, affecting versions up to and including 10.30.3. CSRF vulnerabilities allow attackers to induce authenticated users to perform unwanted actions on a web application where they are logged in, without their knowledge or consent. In this case, the attacker can craft malicious requests that, when executed by a logged-in user, could alter booking data, user information, or system settings. The vulnerability has a CVSS 3.1 base score of 8.8, indicating high severity, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No authentication is required for the attacker, but the victim must be logged in and interact with the malicious content. The vulnerability stems from insufficient validation of requests to ensure they originate from legitimate users, such as missing or ineffective anti-CSRF tokens or improper session validation. No patches or known exploits are currently reported, but the risk remains significant due to the nature of the affected system, which handles sensitive booking and potentially personal data. The Dimitri Grassi Salon booking system is used by various small to medium businesses, including those in Europe, making this vulnerability relevant for organizations relying on this software for client management and scheduling.

For European organizations, exploitation of this CSRF vulnerability could lead to unauthorized changes in salon bookings, manipulation of customer data, and disruption of service availability. Confidential client information such as personal details and appointment histories could be exposed or altered, leading to privacy violations and regulatory non-compliance under GDPR. Integrity of booking data could be compromised, resulting in financial losses, reputational damage, and operational disruptions. Availability impacts could arise if attackers perform actions that degrade or disable booking functionalities, affecting customer experience and business continuity. Given the high CVSS score and the critical nature of the data handled, organizations face significant risks if the vulnerability is exploited. The requirement for user interaction means phishing or social engineering campaigns could be used to trigger the attack, increasing the threat vector. European salons and related businesses using this system are at risk of targeted attacks aiming to disrupt operations or steal sensitive client data.

To mitigate CVE-2025-66531, organizations should immediately verify if they are running affected versions (up to 10.30.3) of the Dimitri Grassi Salon booking system and prioritize upgrading to a patched version once available. In the absence of an official patch, implement strict anti-CSRF protections such as synchronizer tokens or double-submit cookies to validate the origin of requests. Enforce SameSite cookie attributes to restrict cross-origin requests. Review and harden session management to detect and prevent unauthorized actions. Educate users about phishing and social engineering risks to reduce the likelihood of user interaction with malicious content. Employ web application firewalls (WAFs) with rules to detect and block suspicious CSRF attempts. Conduct regular security audits and penetration testing focusing on CSRF and session management controls. Monitor logs for unusual activity indicative of CSRF exploitation attempts. Finally, ensure compliance with data protection regulations by safeguarding client data and maintaining incident response readiness.