yungifez Skuul School Management System kwetsbaar voor XSS via SVG
Platform
php
Component
yungifez/skuul
Opgelost in
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.6
A cross-site scripting (XSS) vulnerability has been identified in yungifez Skuul School Management System versions up to 2.6.5. This flaw resides within the SVG File Handler component, specifically affecting the /dashboard/schools/1/edit file. Successful exploitation allows an attacker to inject malicious scripts, potentially compromising user sessions and system integrity. A fix is available in version 2.6.6.
Impact en Aanvalsscenarioswordt vertaald…
This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the Skuul School Management System. An attacker could leverage this to steal user credentials, redirect users to malicious websites, or deface the application. The vulnerability's location within the /dashboard/schools/1/edit page suggests that administrators are particularly at risk, as they often have elevated privileges within the system. Given the public availability of an exploit, rapid exploitation is likely. The impact could extend beyond the immediate application, potentially affecting any systems accessible through compromised administrator accounts.
Uitbuitingscontextwordt vertaald…
This vulnerability has been publicly disclosed and an exploit is available, indicating a high likelihood of exploitation. The CVE was published on 2025-11-30. The vendor has not responded to early disclosure attempts. The CVSS score of 2.4 (LOW) reflects the relatively limited impact and ease of exploitation, but the public exploit significantly increases the risk.
Wie Loopt Risicowordt vertaald…
Schools and educational institutions using yungifez Skuul School Management System, particularly those running versions prior to 2.6.6, are at risk. Administrators of the system are at higher risk due to their elevated privileges and frequent access to the /dashboard/schools/1/edit page. Shared hosting environments where multiple users share the same server instance are also vulnerable.
Detectiestappenwordt vertaald…
• php / web:
curl -I https://example.com/dashboard/schools/1/edit | grep -i 'X-XSS-Protection'• php / web: Examine the /dashboard/schools/1/edit file for any unsanitized user input that is directly outputted to the page.
• generic web: Monitor access logs for unusual requests targeting /dashboard/schools/1/edit with suspicious parameters.
• generic web: Check response headers for unexpected JavaScript code or redirects.
Aanvalstijdlijn
- Disclosure
disclosure
- PoC
poc
Dreigingsinformatie
Exploit Status
EPSS
0.04% (13% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Hoog — beheerder of geprivilegieerd account vereist.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Pakketinformatie
- Laatste update
- V2.6.49 maanden geleden
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-13784 is to upgrade to version 2.6.6 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data within the /dashboard/schools/1/edit page. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and sanitize any SVG files uploaded to the system to prevent malicious code injection.
Hoe te verhelpen
Actualiseer naar een gepatchte versie of pas de mitigaties toe die door de leverancier worden geboden, indien beschikbaar. Aangezien de leverancier niet reageert, wordt aanbevolen de kwetsbare code te analyseren en handmatig een patch toe te passen om de uitvoering van ongewenste scripts te voorkomen. Het valideren en sanitiseren van SVG-bestandsinvoer is cruciaal om XSS-aanvallen te voorkomen.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-13784 — XSS in yungifez Skuul School Management System?
CVE-2025-13784 is a cross-site scripting (XSS) vulnerability affecting yungifez Skuul School Management System versions up to 2.6.5, allowing attackers to inject malicious scripts.
Am I affected by CVE-2025-13784 in yungifez Skuul School Management System?
You are affected if you are using yungifez Skuul School Management System versions 2.6.5 or earlier. Upgrade to 2.6.6 or later to mitigate the risk.
How do I fix CVE-2025-13784 in yungifez Skuul School Management System?
The recommended fix is to upgrade to version 2.6.6 or later. Implement input validation and output encoding as a temporary workaround.
Is CVE-2025-13784 being actively exploited?
Yes, a public exploit is available, indicating a high probability of active exploitation.
Where can I find the official yungifez advisory for CVE-2025-13784?
The vendor has not responded to early disclosure attempts. Check the yungifez website and GitHub repository for updates.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.