CVE-2025-28355

MEDIUM

Volmarg Personal Management System 1.4.65 - Cross-Site Request Forgery via SameSite Cookie Attribute

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-28355. PoCs published by abbisQQ.

AI-analyzed exploit summary This repository documents a CSRF vulnerability (CVE-2025-28355) in the personal-management-system application, allowing attackers to change user passwords via a malicious HTML page. The PoC demonstrates password modification in Firefox due to lax SameSite cookie handling.

Description

Volmarg Personal Management System 1.4.65 is vulnerable to Cross Site Request Forgery (CSRF) allowing attackers to execute arbitrary code and obtain sensitive information via the SameSite cookie attribute defaults value set to none

Exploits (1)

nomisec WRITEUP
by abbisQQ · poc
https://github.com/abbisQQ/CVE-2025-28355

This repository documents a CSRF vulnerability (CVE-2025-28355) in the personal-management-system application, allowing attackers to change user passwords via a malicious HTML page. The PoC demonstrates password modification in Firefox due to lax SameSite cookie handling.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: personal-management-system (version unspecified)
No auth needed
Prerequisites: Victim must be logged into the target application · Victim must use a browser with SameSite=none default (e.g., Firefox) · Attacker must trick victim into visiting a malicious URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 4.7
EPSS 0.0018
EPSS Percentile 7.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
personal-management-system/personal_management_system 1.4.65
Published Apr 18, 2025
Tracked Since Feb 18, 2026