CVE-2018-25174

MEDIUM

ABC ERP 0.6.4 - Cross-Site Request Forgery via _configurar_perfil.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25174. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary The exploit demonstrates a CSRF vulnerability in ABC ERP 0.6.4, allowing an attacker to update admin credentials via a crafted POST request. It includes both raw HTTP requests and an HTML form to trigger the vulnerability.

Description

ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. Attackers can craft malicious forms or links containing parameters like usuario, contrasena1, contrasena2, nombre, and email to change admin account settings without authentication.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45836

The exploit demonstrates a CSRF vulnerability in ABC ERP 0.6.4, allowing an attacker to update admin credentials via a crafted POST request. It includes both raw HTTP requests and an HTML form to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: ABC ERP 0.6.4
No auth needed
Prerequisites: Victim must be authenticated as admin · Attacker must trick victim into submitting the form
devstral-2 · analyzed Mar 06, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/45836

Scores

CVSS v3 5.3
EPSS 0.0013
EPSS Percentile 2.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-352
Status published
Published Mar 06, 2026
Tracked Since Mar 06, 2026