CVE-2025-69727

An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images based solely on predictable identifiers such as user IDs and names. Due to missing authorization checks and lack of rate-limiting when generating or accessing these URLs, an unauthenticated or unauthorized actor may retrieve profile pictures of users by crafting requests with guessed or known identifiers.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://demo.index-education.net/pronote
https://github.com/0xZeroSec/CVE-2025-69727

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-16 19:16

Updated : 2026-03-17 14:20

NVD link : CVE-2025-69727

Mitre link : CVE-2025-69727

CVE.ORG link : CVE-2025-69727

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2025-69727", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-16T19:16:14.560", "references": [{"url": "https://demo.index-education.net/pronote", "source": "cve@mitre.org"}, {"url": "https://github.com/0xZeroSec/CVE-2025-69727", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images based solely on predictable identifiers such as user IDs and names. Due to missing authorization checks and lack of rate-limiting when generating or accessing these URLs, an unauthenticated or unauthorized actor may retrieve profile pictures of users by crafting requests with guessed or known identifiers."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso incorrecto existe en INDEX-EDUCATION PRONOTE anterior a 2025.2.8. Los componentes afectados (index.js y composeUrlImgPhotoIndividu) permiten la construcci\u00f3n de URL directas a im\u00e1genes de perfil de usuario bas\u00e1ndose \u00fanicamente en identificadores predecibles como ID de usuario y nombres. Debido a la falta de comprobaciones de autorizaci\u00f3n y la ausencia de limitaci\u00f3n de velocidad al generar o acceder a estas URL, un actor no autenticado o no autorizado puede recuperar im\u00e1genes de perfil de usuarios elaborando solicitudes con identificadores adivinados o conocidos."}], "lastModified": "2026-03-17T14:20:01.670", "sourceIdentifier": "cve@mitre.org"}