CVE-2018-25174 MEDIUM

CVE-2018-25174: ABC ERP 0.6.4 Cross-Site Request Forgery via _configurar_perfil.php

Vendor Abc-Erp

Product ABC ERP

Weakness CWE-352 · CSRF

Published March 6, 2026

Last update March 9, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

Description

ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. Attackers can craft malicious forms or links containing parameters like usuario, contrasena1, contrasena2, nombre, and email to change admin account settings without authentication.

Key dates

Disclosure timeline

March 6, 2026 CVE published

March 9, 2026 Record updated