Impact
A function in the e‑commerce application can be manipulated to trigger a state‑changing request without the user’s intent, enabling an attacker to perform unauthorized actions on behalf of an authenticated user. This weakness is a classic CSRF flaw (CWE-352) that can also allow access to privileged functionality (CWE-862). The vulnerability is exploitable remotely and public exploits are available, so an attacker could automate the abuse from any location.
Affected Systems
The product affected is imhamzaazam ecommerceFlask. No specific version numbers are available because the project uses a rolling release model and the vendor has not released a patched version or responded to vulnerability reports.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% marks the likelihood of exploitation as low at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The attack can be initiated remotely by sending crafted requests to the unknown function; the absence of a CSRF token or other origin validation permits execution of actions that would normally require user interaction. Because no official patch or workaround is available, the risk persists until the vendor implements CSRF protection or a fixed release is made available.
OpenCVE Enrichment