CVE-2025-11661
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-13

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This affects an unknown part. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-13
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11661
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oranbyte school_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11661 is a critical authentication vulnerability in the ProjectsAndPrograms School Management System. The system lacks proper authentication mechanisms across multiple administrative and user-facing endpoints because it does not have a centralized authentication framework. This means attackers can access and manipulate critical system functions without any credentials, including editing subjects, students, teachers, and notices. The vulnerability allows unauthenticated attackers to bypass role-based access controls and perform unauthorized operations. [1]

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive information such as student records and teacher details. Attackers can escalate privileges to perform administrative operations without valid credentials, compromise data integrity by making unauthorized modifications, and bypass role-based access controls. This can result in significant data breaches, manipulation of academic data, and loss of trust in the system. [1]

Detection Guidance

This vulnerability can be detected by testing access to critical endpoints without authentication. For example, sending crafted HTTP POST requests to endpoints like /assets/editSubject.php and checking if unauthorized modifications are possible. You can use curl commands such as: curl -X POST -F 'field=value' http://target/assets/editSubject.php to see if the request succeeds without authentication tokens or session cookies. Monitoring network traffic for such unauthenticated requests to administrative endpoints can also help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include implementing comprehensive authentication by adding session validation to all sensitive endpoints, developing centralized access control middleware, and establishing role-based access control to ensure proper privilege management. Additionally, conduct a thorough security audit to verify that all endpoints enforce authentication and prevent unauthorized access. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11661. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart