LiveActive security incident?Get immediate response
CVE Record

CVE-2022-25523: TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a c...

TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2022-25523 is a reported CSRF issue in TypesetterCMS v5.1. An attacker could potentially cause a logged-in user’s browser to send an unintended POST request. Public data does not describe the exact affected action, impact, patch, or active exploitation.

Executive priority

Treat this as a targeted validation item, not an emergency based on current evidence. Prioritize if TypesetterCMS v5.1 supports public websites or privileged business publishing workflows.

Technical view

The CVE record describes a Cross-Site Request Forgery in TypesetterCMS v5.1 exploitable via a crafted POST request. No CVSS score, CWE mapping, detailed endpoint, or fixed version is provided in the supplied sources. CISA KEV status is false.

Likely exposure

Organizations running TypesetterCMS v5.1 are the only clearly identified exposure from the provided sources. Risk is most relevant where privileged CMS users remain logged in while browsing untrusted content.

Exploitation context

The reported attack pattern is CSRF using a crafted POST request. The sources do not confirm public exploit activity, weaponized exploitation, or CISA KEV listing. CSRF generally depends on user interaction and an authenticated browser session.

Researcher notes

Evidence is sparse: the CVE description names CSRF and crafted POST only. The supplied record lacks impact detail, affected endpoint, scoring, and remediation. Avoid assuming exploitability beyond authenticated user-driven CSRF until vendor or issue details confirm more.

Mitigation direction

  • Inventory internet-facing and internal TypesetterCMS deployments.
  • Confirm whether any deployment runs TypesetterCMS v5.1.
  • Review the linked vendor and GitHub issue for maintainer guidance.
  • Apply any vendor-provided update or mitigation if available.
  • Limit administrative access to trusted networks where feasible.
  • Train CMS administrators to avoid untrusted links while authenticated.

Validation and detection

  • Check application banners, files, or admin pages for TypesetterCMS version evidence.
  • Review CMS logs for unexpected authenticated POST actions.
  • Verify whether CSRF protections exist on sensitive POST workflows.
  • Confirm vendor guidance status from the referenced GitHub issue.
  • Document compensating controls for any unpatched v5.1 deployment.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-25523 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
3Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.