Description
A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release."
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.325114
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.325114
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.645821
Exploit, Third Party Advisory related
https://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-Functionality/blob/main/README.md
Exploit, Third Party Advisory exploit
https://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-Functionality/blob/main/README.md#proof-of-concept-poc
Scores
CVSS v3
5.3
EPSS
0.0006
EPSS Percentile
18.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-639
CWE-285
CWE-352
Status
published
Products (1)
webkul/qloapps
< 1.7.0
Published
Sep 21, 2025
Tracked Since
Feb 18, 2026