Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-13177

CVE-2025-13177: Bdtask Saleserp CSRF Vulnerability

CVE-2025-13177 is a cross-site request forgery flaw in Bdtask Saleserp that enables attackers to execute unauthorized actions remotely. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-13177 Overview

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Bdtask/CodeCanyon SalesERP up to version 20250728. This vulnerability affects an unspecified component within the application and allows attackers to execute unauthorized actions on behalf of authenticated users. The attack can be initiated remotely, and a public exploit has been disclosed. Notably, the vendor was contacted regarding this vulnerability but did not respond.

Critical Impact

Attackers can trick authenticated users into performing unintended actions within SalesERP, potentially leading to unauthorized data modifications, account changes, or administrative operations without the user's consent.

Affected Products

  • Bdtask SalesERP up to version 20250728
  • Bdtask/CodeCanyon SalesERP installations

Discovery Timeline

  • 2025-11-14 - CVE-2025-13177 published to NVD
  • 2025-11-24 - Last updated in NVD database

Technical Details for CVE-2025-13177

Vulnerability Analysis

This CSRF vulnerability in Bdtask SalesERP stems from insufficient validation of request origins and missing anti-CSRF tokens on sensitive operations. When a user is authenticated to SalesERP and visits a malicious website or clicks a crafted link, the attacker can force the user's browser to send unauthorized requests to the SalesERP application. Since the browser automatically includes the user's session cookies with these requests, the application processes them as legitimate actions from the authenticated user.

The vulnerability requires user interaction—the victim must be logged into SalesERP and must visit an attacker-controlled page or click a malicious link. This attack vector leverages the trust relationship between the browser and the application without proper request validation.

Root Cause

The root cause of this vulnerability is the absence of proper anti-CSRF protections in the affected SalesERP component. The application fails to implement CSRF tokens or verify the origin of incoming requests, allowing attackers to craft malicious requests that the application cannot distinguish from legitimate user-initiated actions. This is classified under CWE-352 (Cross-Site Request Forgery).

Attack Vector

The attack is network-based and can be executed remotely. An attacker creates a malicious webpage containing hidden forms or JavaScript that automatically submits requests to the target SalesERP instance. When an authenticated user visits this malicious page, their browser sends the forged request along with valid session credentials.

The attack typically involves:

  1. Identifying state-changing endpoints in SalesERP that lack CSRF protection
  2. Crafting an HTML page with a form that targets the vulnerable endpoint
  3. Distributing the malicious page via phishing or embedding it on a compromised website
  4. Waiting for an authenticated SalesERP user to visit the page, triggering the forged request

For technical details and proof-of-concept information, refer to the GitHub PoC Issue and VulDB Entry #332467.

Detection Methods for CVE-2025-13177

Indicators of Compromise

  • Unexpected changes to user accounts, settings, or data within SalesERP
  • Unusual administrative actions performed without corresponding user activity
  • HTTP referrer headers showing requests originating from external domains
  • User reports of unintended actions occurring after visiting external websites

Detection Strategies

  • Monitor SalesERP access logs for requests with external or missing referrer headers targeting sensitive endpoints
  • Implement web application firewalls (WAF) with CSRF detection rules
  • Review audit logs for state-changing actions that don't correlate with user activity patterns
  • Analyze network traffic for suspicious cross-origin requests to the SalesERP application

Monitoring Recommendations

  • Enable detailed logging on all state-changing operations within SalesERP
  • Configure alerts for administrative actions occurring outside normal business hours
  • Monitor for bulk or rapid successive changes to user accounts or application data
  • Track and alert on referrer anomalies in HTTP request logs

How to Mitigate CVE-2025-13177

Immediate Actions Required

  • Educate users about the risks of visiting untrusted websites while logged into SalesERP
  • Implement session timeout policies to reduce the window of exposure
  • Consider placing SalesERP behind a VPN or restricting access to trusted networks
  • Review recent application logs for potential exploitation attempts

Patch Information

No official patch is currently available from the vendor. According to the disclosure, Bdtask was contacted about this vulnerability but did not respond. Users should monitor the vendor's official channels for security updates.

For additional details, see the VulDB Submission #684819.

Workarounds

  • Implement a reverse proxy with custom CSRF protection headers for incoming requests
  • Configure Content Security Policy (CSP) headers to restrict cross-origin requests
  • Use browser extensions or policies that block third-party cookies when accessing SalesERP
  • Log out of SalesERP when not actively using the application to prevent session abuse
  • Consider implementing a custom CSRF token mechanism at the web server level if application-level fixes are not available

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.