CVE-2025-69727 — MEDIUM (5.3)

Vulnerability Description

An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images based solely on predictable identifiers such as user IDs and names. Due to missing authorization checks and lack of rate-limiting when generating or accessing these URLs, an unauthenticated or unauthorized actor may retrieve profile pictures of users by crafting requests with guessed or known identifiers.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Related Weaknesses (CWE)

CWE-639 CWE-284

References

FAQ

What is CVE-2025-69727?

CVE-2025-69727 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs t...

How severe is CVE-2025-69727?

CVE-2025-69727 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-69727?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.