CVE-2025-25748: 
Linux Debian vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in HotelDruid 3.0.7, specifically in the gestione_utenti.php endpoint. The vulnerability was initially reported on March 11, 2025, and allows attackers to perform unauthorized actions on behalf of authenticated users. However, this vulnerability is currently disputed as there appears to be an id_sessione CSRF token in place (NVD).

The vulnerability exists in the gestione_utenti.php endpoint and reportedly stems from the lack of origin or referrer validation and the absence of CSRF tokens. The affected parameters include modifica_pass, id_utente_pass, prima_pass, and seconda_pass. The CVSS 3.1 base score is 7.3 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (Security Research, NVD).

The vulnerability can lead to unauthorized password changes and potential account takeovers, including administrative accounts. Attackers can leverage victims' active sessions to make unauthorized administrative changes, potentially exposing sensitive user and operational data to breach risks. The impact extends to all user accounts, particularly concerning administrative ones that could be compromised without user consent (Security Research).

Recommended mitigations include implementing and enforcing unique anti-CSRF tokens for all state-changing forms and requests, validating Referer and Origin headers, restricting sensitive operations to POST requests only, enhancing session management by regenerating session tokens after login, and implementing user notifications for sensitive actions like password changes (Security Research).