CVE-2025-13119

Vulnerability

Overview

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Simple E-Banking System version 1.0 by Fabian Ros. The flaw resides in the /minus.php script that handles withdrawal requests. The application fails to implement an anti-CSRF token, allowing an attacker to craft a malicious request that leverages the victim's active session [1].

Exploitation

An attacker can exploit this by tricking an authenticated user into visiting a specially crafted webpage. The page automatically submits a POST request to /minus.php with arbitrary withdrawal parameters. Since the browser automatically includes the user's session cookie, the server processes the request as legitimate, executing the withdrawal without the user's knowledge or consent [1].

Impact

Successful exploitation enables an attacker to force the victim to withdraw an arbitrary amount of money from their account, resulting in direct financial loss. The vulnerability poses a high risk to user funds, as the attacker can drain the account without any user interaction beyond visiting a malicious page [1].

Mitigation

As of the publication date, no official patch has been released. The vendor should implement anti-CSRF tokens for all state-changing requests, particularly the withdrawal endpoint. Users are advised to avoid clicking untrusted links while logged into the application and to monitor account activity for unauthorized transactions [1].