CVE-2025-63710

The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page that, when visited by an authenticated user, will automatically submit a forged POST request to the vulnerable endpoint. This request will be executed with the victim's privileges, allowing the attacker to perform unauthorized actions on their behalf, such as sending arbitrary messages in any chat room.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63710/README2.md	Exploit Mitigation Third Party Advisory
https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:pijey:simple_public_chat_room:1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-11-10 15:15

Updated : 2025-11-17 18:18

NVD link : CVE-2025-63710

Mitre link : CVE-2025-63710

CVE.ORG link : CVE-2025-63710

JSON object : View

Products Affected

pijey

simple_public_chat_room

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2025-63710", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-11-10T15:15:37.920", "references": [{"url": "https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63710/README2.md", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page that, when visited by an authenticated user, will automatically submit a forged POST request to the vulnerable endpoint. This request will be executed with the victim's privileges, allowing the attacker to perform unauthorized actions on their behalf, such as sending arbitrary messages in any chat room."}, {"lang": "es", "value": "El endpoint send_message.php en SourceCodester Simple Public Chat Room 1.0 es vulnerable a falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF). La aplicaci\u00f3n no implementa ning\u00fan mecanismo de protecci\u00f3n contra CSRF, como tokens, nonces o restricciones de cookie de mismo sitio. Un atacante puede crear una p\u00e1gina HTML maliciosa que, cuando es visitada por un usuario autenticado, enviar\u00e1 autom\u00e1ticamente una petici\u00f3n POST falsificada al endpoint vulnerable. Esta petici\u00f3n se ejecutar\u00e1 con los privilegios de la v\u00edctima, permitiendo al atacante realizar acciones no autorizadas en su nombre, como enviar mensajes arbitrarios en cualquier sala de chat."}], "lastModified": "2025-11-17T18:18:39.677", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pijey:simple_public_chat_room:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4333F6E1-DB7B-451F-96FD-437425AFA15A"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}