CVE-2025-70146
Missing Authentication in ProjectWorlds Admin Scripts Enables Unauthorized Access
Publication date: 2026-02-18
Last updated on: 2026-02-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectworlds | online_time_table_generator | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70146 is a vulnerability in ProjectWorlds Online Time Table Generator 1.0 where multiple administrative action scripts under the /admin/ directory lack authentication and authorization checks.
This means that remote attackers can perform unauthorized administrative operations such as adding or deleting records by sending direct HTTP requests to these endpoints without needing a valid session or login.
Specifically, deletion scripts like deleteteacher.php, deletestudent.php, and others do not verify if the requester is an authenticated admin, allowing attackers to delete critical data such as students, teachers, courses, semesters, subjects, and timetable entries.
The root cause is missing session validation and authorization controls in these scripts, which leads to broken access control vulnerabilities classified as CWE-306 and CWE-862.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized deletion of critical data such as student records, teacher information, courses, semesters, subjects, and timetable entries.
Such unauthorized deletions can lead to loss of data integrity and availability, disrupting the timetable generation and administration processes.
Because attackers can perform these actions without authentication, it can result in denial of service for legitimate users and administrators, potentially causing significant operational disruption in educational institutions relying on this system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the administrative deletion scripts under the /admin/ directory without authentication and observing if unauthorized actions are allowed.
For example, you can use curl commands to test if deletion endpoints are accessible without a valid session.
- curl -i http://yourserver/admin/deletestudent.php?stu_id=3
- curl -i http://yourserver/admin/deleteteacher.php?teacher_id=5
If these commands succeed in deleting records or return HTTP 200 responses without requiring authentication, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing authentication and authorization checks in all administrative scripts under the /admin/ directory.
- Add session management at the start of each admin script (e.g., session_start()) and verify that the user is an authenticated admin before allowing any action.
- Return HTTP 403 Forbidden responses if the user is not authenticated or authorized.
- Change destructive actions to use POST requests instead of GET, and implement CSRF tokens to prevent cross-site request forgery.
- Use parameterized SQL queries (prepared statements) and validate all input parameters to prevent SQL injection.
These steps will help prevent unauthorized remote attackers from performing administrative operations without valid sessions.