7.2

CVE-2025-60500

Exploit

EPSS 0.1%
Veröffentlicht 21.10.2025 00:00:00
Zuletzt bearbeitet 17.11.2025 12:46:55
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

QDocs Smart School Management System 7.1 allows authenticated users with roles such as "accountant" or "admin" to bypass file type restrictions in the media upload feature by abusing the alternate YouTube URL option. This logic flaw permits uploading of arbitrary PHP files, which are stored in a web-accessible directory.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Qdocs ≫ Smart School Version7.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.283

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://github.com/H4zaz/CVE-2025-60500

Third Party Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2025-60500

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-60500

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-60500

EUVD