{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-6001", "assignerOrgId": "27b6da8a-f51d-48d9-9eef-9b7f3405d20d", "state": "PUBLISHED", "assignerShortName": "BLSOPS", "dateReserved": "2025-06-11T15:35:15.142Z", "datePublished": "2025-06-11T16:26:25.896Z", "dateUpdated": "2025-06-11T17:49:41.382Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://virtuemart.net/", "defaultStatus": "unaffected", "packageName": "VirtueMart", "platforms": ["Windows", "Linux"], "product": "VirtueMart", "repo": "https://dev.virtuemart.net/", "vendor": "VirtueMart", "versions": [{"lessThan": "4.4.10", "status": "affected", "version": "3.0.0", "versionType": "4.4.10"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in the product image upload function of VirtueMart that bypasses the CSRF protection token. An attacker is able to craft a special CSRF request which will allow unrestricted file upload into the VirtueMart media manager."}], "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in the product image upload function of VirtueMart that bypasses the CSRF protection token. An attacker is able to craft a special CSRF request which will allow unrestricted file upload into the VirtueMart media manager."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "27b6da8a-f51d-48d9-9eef-9b7f3405d20d", "shortName": "BLSOPS", "dateUpdated": "2025-06-11T16:26:35.703Z"}, "references": [{"url": "https://blog.blacklanternsecurity.com/p/doomla-zero-days"}], "source": {"discovery": "UNKNOWN"}, "title": "VirtueMart - Cross Site Request Forgery (CSRF)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-11T17:49:18.758271Z", "id": "CVE-2025-6001", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-11T17:49:41.382Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6001", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-11T17:49:18.758271Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-11T17:49:37.510Z"}}], "cna": {"title": "VirtueMart - Cross Site Request Forgery (CSRF)", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://dev.virtuemart.net/", "vendor": "VirtueMart", "product": "VirtueMart", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "4.4.10", "versionType": "4.4.10"}], "platforms": ["Windows", "Linux"], "packageName": "VirtueMart", "collectionURL": "https://virtuemart.net/", "defaultStatus": "unaffected"}], "references": [{"url": "https://blog.blacklanternsecurity.com/p/doomla-zero-days"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in the product image upload function of VirtueMart that bypasses the CSRF protection token. An attacker is able to craft a special CSRF request which will allow unrestricted file upload into the VirtueMart media manager.", "supportingMedia": [{"type": "text/html", "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in the product image upload function of VirtueMart that bypasses the CSRF protection token. An attacker is able to craft a special CSRF request which will allow unrestricted file upload into the VirtueMart media manager.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "27b6da8a-f51d-48d9-9eef-9b7f3405d20d", "shortName": "BLSOPS", "dateUpdated": "2025-06-11T16:26:35.703Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6001", "state": "PUBLISHED", "dateUpdated": "2025-06-11T17:49:41.382Z", "dateReserved": "2025-06-11T15:35:15.142Z", "assignerOrgId": "27b6da8a-f51d-48d9-9eef-9b7f3405d20d", "datePublished": "2025-06-11T16:26:25.896Z", "assignerShortName": "BLSOPS"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in the product image upload function of VirtueMart that bypasses the CSRF protection token. An attacker is able to craft a special CSRF request which will allow unrestricted file upload into the VirtueMart media manager."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Request Forgery (CSRF) en la funci\u00f3n de carga de im\u00e1genes de productos de VirtueMart que omite el token de protecci\u00f3n CSRF. Un atacante puede manipular una solicitud CSRF especial que permite la carga sin restricciones de archivos en el administrador de medios de VirtueMart."}], "id": "CVE-2025-6001", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "cves@blacklanternsecurity.com", "type": "Secondary"}]}, "published": "2025-06-11T17:15:43.107", "references": [{"source": "cves@blacklanternsecurity.com", "url": "https://blog.blacklanternsecurity.com/p/doomla-zero-days"}], "sourceIdentifier": "cves@blacklanternsecurity.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "cves@blacklanternsecurity.com", "type": "Secondary"}]}

{}

{"created": "2025-06-24T09:44:14.683989+00:00", "updated": "2025-06-24T09:44:14.684036+00:00", "vendors": ["virtuemart", "virtuemart$PRODUCT$virtuemart"]}