We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-48373

Schule Has Client-Side Role-Based Access Control (RBAC) Bypass Vulnerability



Description

Schule is open-source school management system software. The application relies on client-side JavaScript (index.js) to redirect users to different panels based on their role. Prior to version 1.0.1, this implementation poses a serious security risk because it assumes that the value of data.role is trustworthy on the client side. Attackers can manipulate JavaScript in the browser (e.g., via browser dev tools or intercepting API responses) and set data.role to any arbitrary value (e.g., "admin"), gaining unauthorized access to restricted areas of the application.

Reserved 2025-05-19 | Published 2025-05-22 | Updated 2025-05-27 | Assigner GitHub_M


MEDIUM: 6.6CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Problem types

CWE-863: Incorrect Authorization

Product status

< 1.0.1
affected

References

github.com/...Schule/security/advisories/GHSA-37h9-qq7c-6mc9

github.com/...ommit/cbf7f509c37acd69b4ab8ee19d842de867b46b7e

cve.org (CVE-2025-48373)

nvd.nist.gov (CVE-2025-48373)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-48373

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.