CVE-2025-69727
Incorrect Access Control in INDEX-EDUCATION PRONOTE Allows Unauthorized Profile Image Access
Publication date: 2026-03-16
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| index-education | pronote | to 2025.2.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69727 is an Incorrect Access Control vulnerability in INDEX-EDUCATION PRONOTE versions prior to 2025.2.8. The issue lies in the way the software constructs direct URLs to user profile images using predictable identifiers like user IDs and names.
Because there are no proper authorization checks or rate-limiting mechanisms, an unauthenticated or unauthorized attacker can guess or know these identifiers and retrieve profile pictures by crafting requests to these URLs.
How can this vulnerability impact me? :
This vulnerability allows unauthorized individuals to access user profile images without authentication. This can lead to privacy violations as sensitive user information (profile pictures) can be accessed and potentially misused.
Additionally, the lack of rate-limiting means attackers can perform mass retrieval of profile images, increasing the scale of the privacy breach.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access user profile images through crafted URLs based on predictable user identifiers such as user IDs and sanitized usernames.
A practical approach is to iterate over a list of known or guessed user IDs and usernames, replacing whitespace with underscores, and then constructing URLs to profile images using the pattern described in the vulnerability.
For example, you can use command-line tools like curl or wget to send HTTP requests to these constructed URLs and check if the profile images are accessible without authentication.
- Use a script or command to generate URLs like: https://demo.index-education.net/pronote/<path> where <path> is built from user IDs and sanitized usernames.
- Example curl command to test access: curl -I https://demo.index-education.net/pronote/path_to_profile_image
- Automate requests over a range of user IDs and usernames to detect unauthorized access to profile images.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official update to INDEX-EDUCATION PRONOTE version 2025.2.8 or later, where this vulnerability has been fixed.
Until the update can be applied, restrict access to the affected components by implementing proper authorization checks and rate-limiting on the server side to prevent unauthorized and mass retrieval of profile images.
Additionally, monitor access logs for unusual patterns of requests targeting user profile images and block suspicious IP addresses if necessary.