Plataforma
other
Componente
student-homework-management-system
Corrigido em
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
A problematic cross-site scripting (XSS) vulnerability has been identified in the itning Student Homework Management System, affecting versions 1.2.0 through 1.2.7. This flaw allows attackers to inject malicious scripts into the system, potentially compromising user data and system integrity. The vulnerability resides within the /shw_war/fileupload file of the Edit Job Page component, specifically through manipulation of the Course argument. A patch is available in version 1.2.8.
Successful exploitation of CVE-2025-3149 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious activities, including session hijacking, phishing attacks, and defacement of the Student Homework Management System interface. Sensitive user data, such as student grades, assignments, and personal information, could be exposed or modified. The remote nature of the vulnerability means attackers can exploit it from anywhere with network access to the system. Given the XSS nature, the potential for lateral movement is limited, but the blast radius extends to all users interacting with the affected pages.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been definitively linked to CVE-2025-3149, the availability of public information makes it a potential target for opportunistic attackers. The vulnerability was added to the NVD on 2025-04-03. The EPSS score is likely medium due to the public disclosure and relatively simple exploitation path.
Educational institutions and organizations utilizing the Student Homework Management System, particularly those relying on older, unsupported versions (1.2.0–1.2.7), are at significant risk. Shared hosting environments where multiple users share the same instance of the system are also particularly vulnerable, as an attacker compromising one user's account could potentially impact others.
disclosure
Status do Exploit
EPSS
0.18% (percentil 39%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-3149 is to upgrade the Student Homework Management System to version 1.2.8 or later, which contains the necessary fix. Since the product is no longer supported, upgrading may introduce compatibility issues. Before upgrading, thoroughly test the new version in a non-production environment. As a temporary workaround, implement strict input validation and output encoding on the Course argument within the /shw_war/fileupload file. Consider using a Web Application Firewall (WAF) to filter out malicious requests containing XSS payloads. Regularly monitor system logs for suspicious activity.
Dado que o produto já não está suportado, a única solução é deixar de usá-lo e migrar para uma alternativa que receba atualizações de segurança. Se não for possível migrar, recomenda-se isolar o sistema e aplicar medidas de segurança adicionais como um firewall para mitigar o risco de exploração.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-3149 is a cross-site scripting vulnerability affecting Student Homework Management System versions 1.2.0–1.2.7. It allows attackers to inject malicious scripts via the Course argument, potentially compromising user data.
You are affected if you are using Student Homework Management System versions 1.2.0 through 1.2.7. The product is no longer supported, so upgrading may present challenges.
Upgrade to version 1.2.8 or later. If upgrading is not feasible, implement input validation and output encoding as a temporary workaround.
While no confirmed active campaigns are known, the public disclosure increases the risk of exploitation by opportunistic attackers.
Due to the product being unsupported, a formal advisory may not be available. Check the itning website or relevant security forums for updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.