Executive Summary

CVE-2025-70147 affects ProjectWorlds Online Time Table Generator 1.0 and involves a missing authentication vulnerability on administrative pages.

Specifically, the endpoints /admin/student.php and /admin/teacher.php do not require any valid session or login, allowing remote attackers to access these pages directly via HTTP GET requests.

This lack of session validation means attackers can retrieve sensitive information including plaintext password fields and personally identifiable information (PII) of students and teachers.

The root cause is the absence of session checks such as session_start() or verifying admin session variables in these admin scripts.

Additionally, the product ships with a default database dump that stores passwords in plaintext, increasing the severity of the information disclosure.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a high confidentiality loss because attackers can obtain sensitive data including plaintext passwords and personally identifiable information of users.

With access to plaintext credentials, attackers can perform account takeover attacks on the affected system.

Moreover, if users reuse passwords on other services, attackers could potentially compromise those accounts as well.

The exposure of PII also increases the risk of identity theft and privacy violations.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending unauthenticated HTTP GET requests directly to the vulnerable endpoints `/admin/student.php` and `/admin/teacher.php` and checking for responses containing sensitive information such as plaintext passwords and personally identifiable information (PII).

A simple detection method is to use curl or similar HTTP clients to request these URLs without any authentication cookies or session tokens.

• curl -i http://<target-domain>/admin/student.php
• curl -i http://<target-domain>/admin/teacher.php

If the response status is HTTP 200 and the body contains HTML tables with user data including plaintext passwords, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include enforcing authentication and authorization on all admin pages by initiating sessions and verifying admin session variables at the start of each `/admin/*.php` script.'}, {'type': 'paragraph', 'content': "Specifically, add session management code such as `session_start()` and checks like `isset($_SESSION['admin'])` to prevent unauthenticated access."}, {'type': 'paragraph', 'content': 'Additionally, remove password fields from any output and store passwords securely using one-way hashing functions like PHP’s `password_hash()` and `password_verify()`.'}, {'type': 'paragraph', 'content': 'Optional hardening measures include implementing rate limiting, logging admin access, and adding CSRF protections for state-changing actions.'}] [1]

Useful 0 Not Useful 0