CVE-2025-46204
BaseFortify
Publication date: 2025-06-04
Last updated on: 2025-06-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| changeweb | unifiedtransform | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /course/edit/{id} endpoint strictly to administrative users by implementing proper access control checks in the CourseController's edit() method. Until a patch is applied, monitor and audit access logs for unauthorized modifications and consider temporarily disabling the course editing functionality for non-admin users to prevent exploitation. [1]
Can you explain this vulnerability to me?
CVE-2025-46204 is an Incorrect Access Control vulnerability in Unifiedtransform v2.0, a school management software. It allows any user, including students and teachers, to escalate privileges by accessing and modifying course details via the /course/edit/{id} endpoint, which should be restricted to administrators only. This happens because the application does not properly enforce access control in the course editing functionality, allowing unauthorized users to change course names and categories. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to modify course information, leading to compromised data integrity and loss of administrative control. Such unauthorized changes can cause academic mismanagement and disrupt the curriculum structure, potentially affecting the reliability and trustworthiness of the educational system managed by the software. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the /course/edit/{id} endpoint as a non-administrative user (such as a student or teacher) and checking if you are able to modify course details. For example, after logging in as a non-admin user, you can use a command-line tool like curl to send a POST or PUT request to the endpoint with a valid course ID and observe if the changes are accepted. Example command: curl -X POST -d '{"name":"New Course Name"}' -H 'Content-Type: application/json' -b cookies.txt https://your-unifiedtransform-domain/course/edit/123 [1]