CVE-2025-63717

Name of the Vulnerable Software and Affected Versions SourceCodester Pet Grooming Management Software version 1.0

Description The application lacks sufficient anti-CSRF protections, such as anti-CSRF tokens or same-site cookie restrictions. This allows attackers to potentially trick authenticated users into unintentionally changing their passwords. The vulnerable functionality is located at the /pet grooming/admin/change pass.php API endpoint. An attacker could craft a malicious request that, when triggered by an authenticated user, would execute the changePassword() function and alter the user's password.

Recommendations Implement anti-CSRF tokens on the /pet grooming/admin/change pass.php endpoint. Enable same-site cookie restrictions to mitigate the risk of CSRF attacks.