CVE-2025-70146
Awaiting Analysis Awaiting Analysis - Queue
Missing Authentication in ProjectWorlds Admin Scripts Enables Unauthorized Access

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: MITRE

Description
Missing authentication in multiple administrative action scripts under /admin/ in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to perform unauthorized administrative operations (e.g.,adding records, deleting records) via direct HTTP requests to affected endpoints without a valid session.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70146
EUVD
EUVD-2025-207788
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectworlds online_time_table_generator 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-70146 is a vulnerability in ProjectWorlds Online Time Table Generator 1.0 where multiple administrative action scripts under the /admin/ directory lack authentication and authorization checks.

This means that remote attackers can perform unauthorized administrative operations such as adding or deleting records by sending direct HTTP requests to these endpoints without needing a valid session or login.

Specifically, deletion scripts like deleteteacher.php, deletestudent.php, and others do not verify if the requester is an authenticated admin, allowing attackers to delete critical data such as students, teachers, courses, semesters, subjects, and timetable entries.

The root cause is missing session validation and authorization controls in these scripts, which leads to broken access control vulnerabilities classified as CWE-306 and CWE-862.

Impact Analysis

This vulnerability can have severe impacts including unauthorized deletion of critical data such as student records, teacher information, courses, semesters, subjects, and timetable entries.

Such unauthorized deletions can lead to loss of data integrity and availability, disrupting the timetable generation and administration processes.

Because attackers can perform these actions without authentication, it can result in denial of service for legitimate users and administrators, potentially causing significant operational disruption in educational institutions relying on this system.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to access the administrative deletion scripts under the /admin/ directory without authentication and observing if unauthorized actions are allowed.

For example, you can use curl commands to test if deletion endpoints are accessible without a valid session.

  • curl -i http://yourserver/admin/deletestudent.php?stu_id=3
  • curl -i http://yourserver/admin/deleteteacher.php?teacher_id=5

If these commands succeed in deleting records or return HTTP 200 responses without requiring authentication, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include enforcing authentication and authorization checks in all administrative scripts under the /admin/ directory.

  • Add session management at the start of each admin script (e.g., session_start()) and verify that the user is an authenticated admin before allowing any action.
  • Return HTTP 403 Forbidden responses if the user is not authenticated or authorized.
  • Change destructive actions to use POST requests instead of GET, and implement CSRF tokens to prevent cross-site request forgery.
  • Use parameterized SQL queries (prepared statements) and validate all input parameters to prevent SQL injection.

These steps will help prevent unauthorized remote attackers from performing administrative operations without valid sessions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart