itning Student Homework Management System Edit Job Page fileupload cross site scripting
traduction en cours…Plateforme
other
Composant
student-homework-management-system
Corrigé dans
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
A problematic cross-site scripting (XSS) vulnerability has been identified in the itning Student Homework Management System, affecting versions 1.2.0 through 1.2.7. This flaw allows attackers to inject malicious scripts into the system, potentially compromising user data and system integrity. The vulnerability resides within the /shw_war/fileupload file of the Edit Job Page component, specifically through manipulation of the Course argument. A patch is available in version 1.2.8.
Impact et Scénarios d'Attaquetraduction en cours…
Successful exploitation of CVE-2025-3149 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious activities, including session hijacking, phishing attacks, and defacement of the Student Homework Management System interface. Sensitive user data, such as student grades, assignments, and personal information, could be exposed or modified. The remote nature of the vulnerability means attackers can exploit it from anywhere with network access to the system. Given the XSS nature, the potential for lateral movement is limited, but the blast radius extends to all users interacting with the affected pages.
Contexte d'Exploitationtraduction en cours…
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been definitively linked to CVE-2025-3149, the availability of public information makes it a potential target for opportunistic attackers. The vulnerability was added to the NVD on 2025-04-03. The EPSS score is likely medium due to the public disclosure and relatively simple exploitation path.
Qui Est à Risquetraduction en cours…
Educational institutions and organizations utilizing the Student Homework Management System, particularly those relying on older, unsupported versions (1.2.0–1.2.7), are at significant risk. Shared hosting environments where multiple users share the same instance of the system are also particularly vulnerable, as an attacker compromising one user's account could potentially impact others.
Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.18% (percentile 39%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Élevé — un compte administrateur ou privilégié est requis.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Aucun — aucun impact sur la confidentialité.
- Integrity
- Faible — l'attaquant peut modifier certaines données avec un impact limité.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-3149 is to upgrade the Student Homework Management System to version 1.2.8 or later, which contains the necessary fix. Since the product is no longer supported, upgrading may introduce compatibility issues. Before upgrading, thoroughly test the new version in a non-production environment. As a temporary workaround, implement strict input validation and output encoding on the Course argument within the /shw_war/fileupload file. Consider using a Web Application Firewall (WAF) to filter out malicious requests containing XSS payloads. Regularly monitor system logs for suspicious activity.
Comment corrigertraduction en cours…
Dado que el producto ya no está soportado, la única solución es dejar de usarlo y migrar a una alternativa que reciba actualizaciones de seguridad. Si no es posible migrar, se recomienda aislar el sistema y aplicar medidas de seguridad adicionales como un firewall para mitigar el riesgo de explotación.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-3149 — XSS in Student Homework Management System?
CVE-2025-3149 is a cross-site scripting vulnerability affecting Student Homework Management System versions 1.2.0–1.2.7. It allows attackers to inject malicious scripts via the Course argument, potentially compromising user data.
Am I affected by CVE-2025-3149 in Student Homework Management System?
You are affected if you are using Student Homework Management System versions 1.2.0 through 1.2.7. The product is no longer supported, so upgrading may present challenges.
How do I fix CVE-2025-3149 in Student Homework Management System?
Upgrade to version 1.2.8 or later. If upgrading is not feasible, implement input validation and output encoding as a temporary workaround.
Is CVE-2025-3149 being actively exploited?
While no confirmed active campaigns are known, the public disclosure increases the risk of exploitation by opportunistic attackers.
Where can I find the official Student Homework Management System advisory for CVE-2025-3149?
Due to the product being unsupported, a formal advisory may not be available. Check the itning website or relevant security forums for updates.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.