← Back
2025-12-24 19:27CVE-2019-25233VulnCheck
PUBLISHED5.2CWE-79

AVE DOMINAplus 1.10.x Cross-Site Request Forgery and XSS Vulnerabilities

AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions.

Problem type

Affected products

AVE S.p.A.

DOMINAplus

Web Server Code 53AB-WBS - 1.10.62 - AFFECTED

References

ExploitDB-47821

https://www.exploit-db.com/exploits/47821

exploit
AVE S.p.A. Official Website

https://www.ave.it

product
DOMINAplus Product Page

https://www.domoticaplus.it

product
Zero Science Lab Disclosure (ZSL-2019-5547)

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php

third-party-advisory

GitHub Security Advisories

GHSA-jj2g-vwxg-qv6m

AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting...

https://github.com/advisories/GHSA-jj2g-vwxg-qv6m

AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2019-25233

ave.it

https://www.ave.it

domoticaplus.it

https://www.domoticaplus.it

exploit-db.com

https://www.exploit-db.com/exploits/47821

zeroscience.mk

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php

github.com

https://github.com/advisories/GHSA-jj2g-vwxg-qv6m

JSON source

https://cveawg.mitre.org/api/cve/CVE-2019-25233
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2019-25233",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2025-12-24T20:24:12.386Z",
    "dateReserved": "2025-12-24T14:27:05.793Z",
    "datePublished": "2025-12-24T19:27:54.735Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2025-12-24T19:27:54.735Z"
      },
      "datePublic": "2019-12-30T00:00:00.000Z",
      "title": "AVE DOMINAplus 1.10.x Cross-Site Request Forgery and XSS Vulnerabilities",
      "descriptions": [
        {
          "lang": "en",
          "value": "AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions."
        }
      ],
      "affected": [
        {
          "vendor": "AVE S.p.A.",
          "product": "DOMINAplus",
          "versions": [
            {
              "version": "Web Server Code 53AB-WBS - 1.10.62",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
              "cweId": "CWE-79",
              "type": "CWE"
            },
            {
              "lang": "en",
              "description": "Cross-Site Request Forgery (CSRF)",
              "cweId": "CWE-352",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/47821",
          "name": "ExploitDB-47821",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://www.ave.it",
          "name": "AVE S.p.A. Official Website",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.domoticaplus.it",
          "name": "DOMINAplus Product Page",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php",
          "name": "Zero Science Lab Disclosure (ZSL-2019-5547)",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-12-24T20:24:12.386Z"
        },
        "title": "CISA ADP Vulnrichment",
        "references": [
          {
            "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php",
            "tags": [
              "exploit"
            ]
          }
        ],
        "metrics": [
          {}
        ]
      }
    ]
  }
}