CVE-2025-63711

Name of the Vulnerable Software and Affected Versions SourceCodester Client Database Management System version 1.0

Description A Cross-Site Request Forgery (CSRF) issue exists in the application, potentially allowing an attacker to cause an authenticated administrative user to perform actions without their consent. The application’s user deletion endpoint, such as /superadmin user delete.php, accepts POST requests containing the user id parameter. The endpoint does not enforce request origin or anti-CSRF tokens, and lacks proper authentication/authorization checks and CSRF protections. An attacker can craft a malicious page that triggers deletion when visited by an authenticated administrator, resulting in arbitrary removal of user accounts.

Recommendations Apply appropriate CSRF protections to the /superadmin user delete.php endpoint. Implement request origin validation to ensure requests originate from trusted sources. Enforce anti-CSRF tokens for all state-changing requests, including user deletion. Implement robust authentication and authorization checks to verify user permissions before allowing deletion actions.