Cyber Posture

CVE-2024-57373

High

Published: 27 January 2025

Published
27 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0022 44.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57373 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 44.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious Link (T1204.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match
prevent

SC-23 mandates session authenticity mechanisms such as anti-CSRF tokens, directly preventing forged requests that execute unauthorized actions on behalf of authenticated users.

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs including CSRF tokens, ensuring only legitimate requests from authenticated users are processed and blocking unauthorized actions.

SI-2 Flaw Remediation good match
prevent

SI-2 requires identification, reporting, and correction of system flaws like this CSRF vulnerability, eliminating the vulnerability to prevent exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
Why these techniques?

CSRF flaw directly enables exploitation via crafted malicious link or webpage that triggers unauthorized actions when visited by authenticated user (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Cross Site Request Forgery (CSRF) vulnerability in LifestyleStore v1.0 allows a remote attacker to execute unauthorized actions on behalf of an authenticated user, potentially leading to account modifications or data compromise.

Deeper analysisAI

CVE-2024-57373 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in LifestyleStore version 1.0. This flaw allows a remote attacker to execute unauthorized actions on behalf of an authenticated user, potentially leading to account modifications or data compromise. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), reflecting its high severity due to network vector, low attack complexity, lack of required privileges, and substantial impacts on confidentiality and integrity with no availability disruption.

A remote attacker without privileges can exploit this issue by inducing an authenticated user to perform an action, such as visiting a malicious webpage or clicking a crafted link, which triggers the unauthorized request. Successful exploitation enables the attacker to act as the victim, achieving outcomes like account alterations or data exposure, directly aligning with the high confidentiality and integrity impact ratings.

Mitigation guidance and further details are available in the referenced advisories, including the exploit demonstration at https://github.com/cypherdavy/CVE-2024-57373 and the affected LifestyleStore repository at https://github.com/sajalagrawal/LifestyleStore. The CVE was published on 2025-01-27T23:15:09.830.

Details

CWE(s)
CWE-352

CVEs Like This One

CVE-2025-28867Shared CWE-352
CVE-2026-41347Shared CWE-352
CVE-2026-39671Shared CWE-352
CVE-2025-28856Shared CWE-352
CVE-2025-25769Shared CWE-352
CVE-2025-26550Shared CWE-352
CVE-2025-23661Shared CWE-352
CVE-2025-25088Shared CWE-352
CVE-2026-25812Shared CWE-352
CVE-2025-15405Shared CWE-352

References