Upstream information

CVE-2025-54286 at MITRE

Description

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v4 Scores
  CNA (Canonical)
Base Score 7.5
Vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Attack Requirements Present
Privileges Required None
User Interaction Active
Vulnerable System Confidentiality Impact High
Vulnerable System Integrity Impact High
Vulnerable System Availability Impact High
Subsequent System Confidentiality Impact Low
Subsequent System Integrity Impact Low
Subsequent System Availability Impact Low
CVSSv4 Version 4.0
SUSE Bugzilla entry: 1250945 [NEW]

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Thu Oct 2 14:00:02 2025
CVE page last modified: Thu Oct 2 18:33:03 2025