CVE-2025-15213
Unknown Unknown - Not Provided
Improper Authorization in Student File Management System Download Handler

Publication date: 2025-12-30

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in code-projects Student File Management System 1.0. The affected element is an unknown function of the file /download.php of the component File Download Handler. The manipulation of the argument store_id leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15213
EUVD
EUVD-2025-205679
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
code-projects student_file_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Student File Management System 1.0, specifically in the /download.php file's File Download Handler component. It involves improper authorization caused by manipulation of the 'store_id' argument, allowing an attacker to potentially access files they should not be authorized to download. The attack can be performed remotely and the exploit has been publicly disclosed.

Impact Analysis

The vulnerability can lead to unauthorized access to files within the Student File Management System, potentially exposing sensitive or restricted information. Since the attack can be carried out remotely, it increases the risk of data leakage or unauthorized data exposure without requiring physical access to the system.

Compliance Impact

The vulnerability allows unauthorized access to sensitive files due to improper authorization checks, which could lead to exposure of personal or sensitive data. This unauthorized data access may result in non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls on access to personal and sensitive information. However, no specific details on compliance impact are provided in the resources. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the /download.php endpoint for manipulation of the 'store_id' parameter. You can look for unusual or unauthorized access patterns where 'store_id' values are used to access files not belonging to the authenticated user. A suggested command to detect such attempts using command-line tools like curl or wget is to perform HTTP GET requests with different 'store_id' values and observe if unauthorized files are accessible. For example: curl -i 'http://target/download.php?store_id=some_value'. Additionally, network monitoring tools or web application firewalls can be configured to alert on suspicious requests to /download.php with varying 'store_id' parameters. Google Dorking with queries like 'inurl:download.php' can help identify vulnerable targets externally. [2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /download.php endpoint and implementing proper authorization checks to validate the 'store_id' parameter against the authenticated user's permissions. Since no known countermeasures or patches are reported, it is recommended to replace the affected software with an alternative product that does not have this vulnerability. Additionally, monitoring and logging access to sensitive files and limiting user privileges can help reduce risk until a secure fix is applied. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart