CVE-2025-70147
Authentication Bypass in ProjectWorlds Admin Exposes Sensitive Data
Publication date: 2026-02-18
Last updated on: 2026-02-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectworlds | online_time_table_generator | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70147 affects ProjectWorlds Online Time Table Generator 1.0 and involves a missing authentication vulnerability on administrative pages.
Specifically, the endpoints /admin/student.php and /admin/teacher.php do not require any valid session or login, allowing remote attackers to access these pages directly via HTTP GET requests.
This lack of session validation means attackers can retrieve sensitive information including plaintext password fields and personally identifiable information (PII) of students and teachers.
The root cause is the absence of session checks such as session_start() or verifying admin session variables in these admin scripts.
Additionally, the product ships with a default database dump that stores passwords in plaintext, increasing the severity of the information disclosure.
How can this vulnerability impact me? :
This vulnerability can lead to a high confidentiality loss because attackers can obtain sensitive data including plaintext passwords and personally identifiable information of users.
With access to plaintext credentials, attackers can perform account takeover attacks on the affected system.
Moreover, if users reuse passwords on other services, attackers could potentially compromise those accounts as well.
The exposure of PII also increases the risk of identity theft and privacy violations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending unauthenticated HTTP GET requests directly to the vulnerable endpoints `/admin/student.php` and `/admin/teacher.php` and checking for responses containing sensitive information such as plaintext passwords and personally identifiable information (PII).
A simple detection method is to use curl or similar HTTP clients to request these URLs without any authentication cookies or session tokens.
- curl -i http://<target-domain>/admin/student.php
- curl -i http://<target-domain>/admin/teacher.php
If the response status is HTTP 200 and the body contains HTML tables with user data including plaintext passwords, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include enforcing authentication and authorization on all admin pages by initiating sessions and verifying admin session variables at the start of each `/admin/*.php` script.'}, {'type': 'paragraph', 'content': "Specifically, add session management code such as `session_start()` and checks like `isset($_SESSION['admin'])` to prevent unauthenticated access."}, {'type': 'paragraph', 'content': 'Additionally, remove password fields from any output and store passwords securely using one-way hashing functions like PHPβs `password_hash()` and `password_verify()`.'}, {'type': 'paragraph', 'content': 'Optional hardening measures include implementing rate limiting, logging admin access, and adding CSRF protections for state-changing actions.'}] [1]