Vulnerability Details CVE-2025-10759
A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release."
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.8%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- https://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-Functionality/blob/main/README.md
- https://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-Functionality/blob/main/README.md#proof-of-concept-poc
- https://vuldb.com/?ctiid.325114
- https://vuldb.com/?id.325114
- https://vuldb.com/?submit.645821
Products affected by CVE-2025-10759
-
cpe:2.3:a:webkul:qloapps:0.3
-
cpe:2.3:a:webkul:qloapps:1.3.0
-
cpe:2.3:a:webkul:qloapps:1.3.1
-
cpe:2.3:a:webkul:qloapps:1.3.2
-
cpe:2.3:a:webkul:qloapps:1.4.0
-
cpe:2.3:a:webkul:qloapps:1.4.1
-
cpe:2.3:a:webkul:qloapps:1.5.0
-
cpe:2.3:a:webkul:qloapps:1.5.1
-
cpe:2.3:a:webkul:qloapps:1.5.2
-
cpe:2.3:a:webkul:qloapps:1.6.0
-
cpe:2.3:a:webkul:qloapps:1.6.1