CVE-2025-11661
BaseFortify
Publication date: 2025-10-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oranbyte | school_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11661 is a critical authentication vulnerability in the ProjectsAndPrograms School Management System. The system lacks proper authentication mechanisms across multiple administrative and user-facing endpoints because it does not have a centralized authentication framework. This means attackers can access and manipulate critical system functions without any credentials, including editing subjects, students, teachers, and notices. The vulnerability allows unauthenticated attackers to bypass role-based access controls and perform unauthorized operations. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive information such as student records and teacher details. Attackers can escalate privileges to perform administrative operations without valid credentials, compromise data integrity by making unauthorized modifications, and bypass role-based access controls. This can result in significant data breaches, manipulation of academic data, and loss of trust in the system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing access to critical endpoints without authentication. For example, sending crafted HTTP POST requests to endpoints like /assets/editSubject.php and checking if unauthorized modifications are possible. You can use curl commands such as: curl -X POST -F 'field=value' http://target/assets/editSubject.php to see if the request succeeds without authentication tokens or session cookies. Monitoring network traffic for such unauthenticated requests to administrative endpoints can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing comprehensive authentication by adding session validation to all sensitive endpoints, developing centralized access control middleware, and establishing role-based access control to ensure proper privilege management. Additionally, conduct a thorough security audit to verify that all endpoints enforce authentication and prevent unauthorized access. [1]