CVE-2025-10317

Vulnerability

Overview

CVE-2025-10317 is a Cross-Site Request Forgery (CSRF) vulnerability in OpenSolution Quick.Cart, specifically within the product creation functionality. The software does not implement any anti-CSRF tokens or other protection mechanisms, making all forms in the application potentially vulnerable [1]. The vendor was notified but did not provide details on the vulnerable version range; only version 6.7 was tested and confirmed as vulnerable [1].

Exploitation

An attacker can craft a malicious website that, when visited by an authenticated administrator, automatically sends a forged POST request to the Quick.Cart application. This request creates a new product with content defined by the attacker [1]. The attack requires no special requires no special privileges beyond the admin being logged in and visiting the attacker-controlled page.

Impact

Successful exploitation allows the attacker to create arbitrary products in the Quick.Cart store. This could be used to inject malicious content, manipulate inventory, or potentially serve as a stepping stone for further attacks, such as stored XSS if the product data is rendered unsafely [1].

Mitigation

As of the publication date (2025-10-30), no patch or official response from the vendor has been released. Users of Quick.Cart 6.7 and possibly other versions are advised to implement CSRF protection manually, such as adding anti-CSRF tokens to all forms, or to restrict admin access to trusted networks [1]. The vulnerability has been publicly disclosed by CERT Polska [1].