CVE-2019-25259

🗓️ 07 Jan 2026 23:09:57Reported by VulnCheckType

cve🔗 web.nvd.nist.gov👁 5 Views🌐 WEB

CVE-2019-25259 in Leica Geosystems GR series enables cross-site forgery to perform admin actions.

Reporter	Title	Published	Views	Family All 7
Circl	CVE-2019-25259	8 Jan 202621:03	–	circl
CNNVD	Leica Geosystems多款产品跨站请求伪造漏洞	8 Jan 202600:00	–	cnnvd
Cvelist	CVE-2019-25259 Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 Cross-Site Request Forgery	7 Jan 202623:09	–	cvelist
NVD	CVE-2019-25259	8 Jan 202600:15	–	nvd
Positive Technologies	PT-2026-1672	7 Jan 202600:00	–	ptsecurity
Vulnrichment	CVE-2019-25259 Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 Cross-Site Request Forgery	7 Jan 202623:09	–	vulnrichment
Zero Science Lab	Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 Cross-Site Request Forgery	5 Jan 201900:00	–	zeroscience

Vulners

Node

leica_geosystems_ag leica_geosystems_gr10/gr25/gr30/gr50_gnssMatch4.30.063

leica_geosystems_ag leica_geosystems_gr10/gr25/gr30/gr50_gnssMatch4.20.232

leica_geosystems_ag leica_geosystems_gr10/gr25/gr30/gr50_gnssMatch4.11.606

leica_geosystems_ag leica_geosystems_gr10/gr25/gr30/gr50_gnssMatch3.22.1818

leica_geosystems_ag leica_geosystems_gr10/gr25/gr30/gr50_gnssMatch3.10.1633

leica_geosystems_ag leica_geosystems_gr10/gr25/gr30/gr50_gnssMatch2.62.782

leica_geosystems_ag leica_geosystems_gr10/gr25/gr30/gr50_gnssMatch1.00.395

[
  {
    "vendor": "Leica Geosystems AG",
    "product": "Leica Geosystems GR10/GR25/GR30/GR50 GNSS",
    "versions": [
      {
        "version": "4.30.063",
        "status": "affected"
      },
      {
        "version": "4.20.232",
        "status": "affected"
      },
      {
        "version": "4.11.606",
        "status": "affected"
      },
      {
        "version": "3.22.1818",
        "status": "affected"
      },
      {
        "version": "3.10.1633",
        "status": "affected"
      },
      {
        "version": "2.62.782",
        "status": "affected"
      },
      {
        "version": "1.00.395",
        "status": "affected"
      }
    ]
  }
]

Source	Link
zeroscience	www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5502.php
packetstormsecurity	www.packetstormsecurity.com/files/151040
leica-geosystems	www.leica-geosystems.com/en-us
exchange	www.exchange.xforce.ibmcloud.com/vulnerabilities/155275
exploit-db	www.exploit-db.com/exploits/46090

Parameter	Position	Path	Description	CWE
txtHelpPage	request body	192.168.1.17/config/config_UserManagementPostBackHelper.lsp	CSRF vulnerability: unauthenticated or unvalidated requests can perform administrative actions via a forged POST to the User Management endpoint.	CWE-352
txtUsername	request body	192.168.1.17/config/config_UserManagementPostBackHelper.lsp	CSRF vulnerability: unauthenticated or unvalidated requests can perform administrative actions via a forged POST to the User Management endpoint.	CWE-352
txtPassword	request body	192.168.1.17/config/config_UserManagementPostBackHelper.lsp	CSRF vulnerability: unauthenticated or unvalidated requests can perform administrative actions via a forged POST to the User Management endpoint.	CWE-352
txtConfirmPassword	request body	192.168.1.17/config/config_UserManagementPostBackHelper.lsp	CSRF vulnerability: unauthenticated or unvalidated requests can perform administrative actions via a forged POST to the User Management endpoint.	CWE-352
webRole	request body	192.168.1.17/config/config_UserManagementPostBackHelper.lsp	CSRF vulnerability: unauthenticated or unvalidated requests can perform administrative actions via a forged POST to the User Management endpoint.	CWE-352
ftpRole	request body	192.168.1.17/config/config_UserManagementPostBackHelper.lsp	CSRF vulnerability: unauthenticated or unvalidated requests can perform administrative actions via a forged POST to the User Management endpoint.	CWE-352
TxtOperationMode	request body	192.168.1.17/config/config_UserManagementPostBackHelper.lsp	CSRF vulnerability: unauthenticated or unvalidated requests can perform administrative actions via a forged POST to the User Management endpoint.	CWE-352
txtEditedUser	request body	192.168.1.17/config/config_UserManagementPostBackHelper.lsp	CSRF vulnerability: unauthenticated or unvalidated requests can perform administrative actions via a forged POST to the User Management endpoint.	CWE-352
userId	request body	192.168.1.17/config/config_UserManagementPostBackHelper.lsp	CSRF vulnerability: unauthenticated or unvalidated requests can perform administrative actions via a forged POST to the User Management endpoint.	CWE-352

15 Apr 2026 00:35Current

6.4Medium risk

Vulners AI Score6.4

CVSS 45.1

CVSS 3.15.3

EPSS0.00028

SSVC

CWE-352