Vulnerability Description
Wimi Teamwork versions prior to 7.38.17 contains a cross-site request forgery (CSRF) vulnerability in its API. The API accepts any authenticated request that contains a JSON field named 'csrf_token' without validating the field’s value; only the presence of the field is checked. An attacker can craft a cross-site request that causes a logged-in victim’s browser to submit a JSON POST containing an arbitrary or empty 'csrf_token', and the API will execute the request with the victim’s privileges. Successful exploitation can allow an attacker to perform privileged actions as the victim potentially resulting in account takeover, privilege escalation, or service disruption.
Related Weaknesses (CWE)
References
- https://www.vulncheck.com/advisories/wimi-teamwork-csrf
- https://www.wimi-teamwork.com/
- https://www.wimi-teamwork.com/product-news/release-7-38/
FAQ
What is CVE-2025-34133?
CVE-2025-34133 is a documented vulnerability. Wimi Teamwork versions prior to 7.38.17 contains a cross-site request forgery (CSRF) vulnerability in its API. The API accepts any authenticated request that contains a JSON field named 'csrf_token' w...
How severe is CVE-2025-34133?
CVSS scoring is not yet available for CVE-2025-34133. Check NVD for updates.
Is there a patch for CVE-2025-34133?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.