CVE-2025-7078
Description
A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
07FLYCMS and 07FlyCRM up to version 1.3.9 are vulnerable to cross-site request forgery (CSRF) in the leave deletion endpoint, allowing remote attackers to delete leave records without user consent.
Vulnerability
Details
CVE-2025-7078 describes a cross-site request forgery (CSRF) vulnerability in 07FLYCMS, 07FLY-CMS, and 07FlyCRM versions up to 1.3.9. The affected component is the leave deletion endpoint at /oa/OaLeave/del.html. The application does not implement any anti-CSRF token or validation mechanism, allowing an attacker to craft a malicious HTML form that, when visited by an authenticated user, submits a POST request to delete a leave record [1].
Exploitation
The attack is carried out remotely by tricking a logged-in user into clicking a link or visiting a page containing the crafted form. The PoC provided uses a simple HTML form with a hidden id field, which is automatically submitted using JavaScript. No special privileges are required beyond the victim having an active session in the CRM application. The exploit has been publicly disclosed [1].
Impact
Successful exploitation leads to the deletion of leave records without the victim's knowledge or consent. While the CVSS score is 4.3 (Medium), the impact is limited to data integrity on a single function. No authentication bypass or privilege escalation is involved.
Mitigation
The vendor was contacted but did not respond. As of the publication date, no patch or official workaround has been released. Users are advised to implement additional CSRF protections, such as same-site cookies or custom request validation headers, until an update becomes available.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/Excentique/yuxuan_mei/blob/main/07fly-crm_1.mdnvdExploitThird Party Advisory
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdPermissions RequiredVDB Entry
News mentions
0No linked articles in our index yet.