PT-2025-43971 · Unknown · Wimi Teamwork
Noa Tchoumak
·
Published
2025-10-27
·
Updated
2025-10-27
·
CVE-2025-34133
CVSS v4.0
7.0
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Wimi Teamwork versions prior to 7.38.17
Description
The software contains a cross-site request forgery (CSRF) issue in its API. The API accepts authenticated requests containing a JSON field named
csrf token without validating its value, only checking for its presence. An attacker can create a cross-site request that causes a logged-in victim’s browser to submit a JSON POST containing an arbitrary or empty csrf token, leading the API to execute the request with the victim’s privileges. Exploitation could allow an attacker to perform actions as the victim, potentially resulting in account takeover, privilege escalation, or service disruption.Recommendations
Update Wimi Teamwork to version 7.38.17 or later.
Fix
LPE
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wimi Teamwork