CVE-2018-25174
Description
ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. Attackers can craft malicious forms or links containing parameters like usuario, contrasena1, contrasena2, nombre, and email to change admin account settings without authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ABC ERP 0.6.4 is vulnerable to cross-site request forgery, allowing attackers to change administrator credentials via crafted requests to _configurar_perfil.php.
Vulnerability
ABC ERP 0.6.4 contains a cross-site request forgery (CSRF) vulnerability in the _configurar_perfil.php script. The application lacks anti-CSRF tokens or other validation mechanisms, allowing arbitrary requests to modify administrator account settings [1].
Exploitation
An attacker can craft a malicious HTML form or a direct GET/POST request containing parameters such as usuario, contrasena1, contrasena2, nombre, email, and old_usuario. If an authenticated admin visits the attacker's page, the request executes with the admin's session, changing the credentials without the admin's knowledge [1].
Impact
Successful exploitation allows an attacker to change the administrator's username and password, gaining full control over the ERP system. This can lead to data theft, system compromise, and further attacks.
Mitigation
As of the publication date, no official patch has been released. Users should apply strong access controls, disable the endpoint if not needed, or implement CSRF protections manually.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.