nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality
好的,用户让我帮忙总结一篇文章的内容,控制在100字以内,并且不需要特定的开头。我先看看文章内容。 这篇文章提到的是nopCommerce 4.90.0版本存在CSRF漏洞,具体是在“Run now”按钮的计划任务功能中。攻击者可以利用这个漏洞在未经用户同意的情况下运行任务。CVE编号是CVE-2025-65593,发现者是AlterSec/PenTest.NZ。 接下来,我需要将这些信息浓缩到100字以内。重点包括:软件名称、版本、漏洞类型、影响、CVE编号和发现者。 然后,组织语言,确保简洁明了,直接描述内容,不使用“文章总结”之类的开头。 最后检查字数,确保不超过限制。 </think> nopCommerce 4.90.0版本中发现Cross-Site Request Forgery (CSRF)漏洞,攻击者可利用"Run now"按钮在计划任务功能中未经用户同意运行任务。该漏洞已分配CVE编号CVE-2025-65593,由AlterSec/PenTest.NZ发现。 2025-12-16 05:19:14 Author: seclists.org(查看原文) 阅读量:9 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Onur Tezcan via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 12 Dec 2025 15:11:01 +0000
 [Attack Vectors]
      > It was identified Cross-Site Request Forgery (CSRF) vulnerability on the "Run now" button of Schedule tasks 
functionality. Exploiting this vulnerability, an attacker can run a scheduled task without the victim users consent or 
knowledge.

Assigned CVE code:
      > CVE-2025-65593

 [Discoverer]
      > AlterSec t/a PenTest.NZ

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality Onur Tezcan via Fulldisclosure (Dec 15)

文章来源: https://seclists.org/fulldisclosure/2025/Dec/20
如有侵权请联系:admin#unsafe.sh