We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-48372

Schule Has Insecure OTP Length, is Susceptible to Brute-Force Attacks



Description

Schule is open-source school management system software. The generateOTP() function generates a 4-digit numeric One-Time Password (OTP). Prior to version 1.0.1, even if a secure random number generator is used, the short length and limited range (1000–9999) results in only 9000 possible combinations. This small keyspace makes the OTP highly vulnerable to brute-force attacks, especially in the absence of strong rate-limiting or lockout mechanisms. Version 1.0.1 fixes the issue.

Reserved 2025-05-19 | Published 2025-05-22 | Updated 2025-05-23 | Assigner GitHub_M


MEDIUM: 6.6CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Problem types

CWE-521: Weak Password Requirements

Product status

< 1.0.1
affected

References

github.com/...Schule/security/advisories/GHSA-6c48-67xx-vqgc

github.com/...ommit/cd53abbea93943f2c60a5281d45bebadc57636b7

cve.org (CVE-2025-48372)

nvd.nist.gov (CVE-2025-48372)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-48372

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.