CVE-2018-25174 in ABC ERP
Summary
by MITRE • 03/06/2026
ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. Attackers can craft malicious forms or links containing parameters like usuario, contrasena1, contrasena2, nombre, and email to change admin account settings without authentication.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/06/2026
The CVE-2018-25174 vulnerability represents a critical cross-site request forgery flaw in ABC ERP version 0.6.4 that fundamentally compromises the system's authentication and authorization mechanisms. This vulnerability resides within the _configurar_perfil.php endpoint, which serves as the administrative profile configuration interface for the enterprise resource planning system. The flaw enables unauthenticated attackers to manipulate administrator credentials through crafted malicious requests, effectively undermining the security posture of the entire ERP infrastructure. The vulnerability's impact extends beyond simple credential modification as it provides attackers with elevated privileges that could lead to complete system compromise and unauthorized access to sensitive business data.
The technical implementation of this CSRF vulnerability stems from the absence of proper anti-forgery token validation within the administrative profile modification functionality. When legitimate users interact with the _configurar_perfil.php endpoint, the application fails to verify that requests originate from authenticated administrative sessions. This omission creates a pathway for attackers to construct malicious HTML forms or manipulate URL parameters containing sensitive fields such as usuario (username), contrasena1 (password1), contrasena2 (password2), nombre (name), and email. The vulnerability's exploitation mechanism relies on the application's trust in request parameters without proper session validation or token verification, making it particularly dangerous as it requires no prior authentication to execute.
The operational impact of this vulnerability is severe and multifaceted, as it enables attackers to gain unauthorized administrative control over the ABC ERP system. Once exploited, attackers can modify administrator credentials to establish persistent access, potentially leading to data exfiltration, system manipulation, and complete compromise of the enterprise resource planning environment. The vulnerability's nature means that any user who visits a malicious webpage containing crafted forms could inadvertently trigger the credential modification, making it particularly insidious in phishing attacks or compromised websites. Organizations using this version of ABC ERP face significant risk of unauthorized system access, data breaches, and potential regulatory compliance violations due to the exposure of administrative privileges.
Security professionals should recognize this vulnerability as a direct violation of CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications. The flaw aligns with ATT&CK technique T1566.001, which covers phishing attacks that leverage CSRF vulnerabilities to gain unauthorized access to administrative accounts. Mitigation strategies must include immediate implementation of anti-forgery tokens for all administrative functions, proper session validation mechanisms, and comprehensive input sanitization. Organizations should also deploy web application firewalls to detect and block suspicious requests, implement strict access controls, and conduct regular security assessments. The vulnerability underscores the critical importance of proper authentication verification and the necessity of following secure coding practices to prevent unauthorized privilege escalation in enterprise applications.