CVE-2025-3997

Root

Cause

A cross-site request forgery (CSRF) vulnerability exists in lecms 3.0.3. The endpoint /index.php?my-profile-ajax-1 on the Personal Information page does not include any anti-CSRF tokens or origin validation. The official description and the detailed proof-of-concept [1] confirm that the manipulation of profile fields (author, email, mobile, homepage, intro) is performed via a simple POST request, and the application does not verify whether the request originated from the legitimate user's session or an external page.

Exploitation

An attacker can craft an HTML page that, when visited by an authenticated lecms user, silently submits a forged POST request to the vulnerable endpoint. The PoC from reference [1] demonstrates using Burp Suite's CSRF PoC generator to create such a page. The attacker only needs to host the malicious page on any website; the attack is remote and does not require any special network position beyond luring an authenticated user to the page.

Impact

Successful exploitation allows the attacker to modify the victim's personal profile information (e.g., email, mobile number, homepage) without their consent. While the impact is limited to data modification on the user's own profile, it could be leveraged for further social engineering attacks or account takeover if combined with other weaknesses.

Mitigation

As of publication, no official patch has been released. The vendor recommends implementing CSRF tokens (e.g., nonce values) on all state-changing operations and validating the Origin/Referer headers. Since the exploit has been publicly disclosed and a PoC is available, administrators should apply access controls or Web Application Firewall (WAF) rules until an update is provided.

References

[1] dtwin88. (2025). lecms V3.0.3: Cross-site request forgery in personal information page. GitHub. https://github.com/dtwin88/cve-md/blob/main/lecms%20V3.0.3/lecms_4.md