Cross-Site Request Forgery in Webkul QloApps Affects User Logout Functionality
CVE-2025-1074

5.3MEDIUM

Key Information:

Vendor
Webkul
Status
Qloapps
Vendor
CVE Published:
6 February 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A Cross-Site Request Forgery issue has been identified in Webkul QloApps version 1.6.1, specifically within the logout function of the URL Handler component located in /en/?mylogout. This vulnerability allows an attacker to potentially manipulate and execute unauthorized actions on behalf of authenticated users, leading to unauthorized access and potential exploitation. The issue can be exploited remotely, making it crucial for users to remain vigilant. The vendor has been notified and is currently working on a resolution to mitigate this security risk.

Affected Version(s)

QloApps 1.6.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-1074 - Proof of Concept

References

https://vuldb.com/?id.294834
vdb-entrytechnical-description
https://vuldb.com/?ctiid.294834
signaturepermissions-required
https://vuldb.com/?submit.491600
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mahendravarman (VulDB User)
Mahendravarman (VulDB User)
.