Student Result Management System
CVE-2025-50490
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-facing but requires capturing a valid session token (AC:H); success yields account takeover, so C:H/I:H, with no availability impact unlike the NVD vector.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper session invalidation in the component /elms/emp-changepassword.php of PHPGurukul Student Result Management System v2.0 allows attackers to execute a session hijacking attack.
AnalysisAI
Session hijacking in PHPGurukul Student Result Management System v2.0 stems from improper session invalidation in the employee change-password handler (/elms/emp-changepassword.php), letting attackers reuse session tokens that should have been terminated to take over an authenticated account. A public proof-of-concept exists (VasilVK GitHub), but there is no public exploit identified as actively exploited; EPSS is low at 0.52% (40th percentile) and it is not on CISA KEV. This is a niche PHP educational application, so real-world exposure is limited despite the network-facing nature of the flaw.
Technical ContextAI
The affected component is a PHP web application (PHPGurukul Student Result Management System, CPE cpe:2.3:a:phpgurukul:student_result_management_system:2.0) that manages student results with an employee/admin panel. The defect lives in emp-changepassword.php, the routine that lets an employee change their password. Proper design requires invalidating all pre-existing sessions when credentials change so that stolen or stale session identifiers cannot continue to authenticate. Here that invalidation does not occur (a session-fixation/session-management weakness, most precisely CWE-613 Insufficient Session Expiration), so a previously captured session cookie remains valid. NVD tags this as CWE-20 (Improper Input Validation), which does not accurately describe the root cause - the true class is broken session lifecycle management.
RemediationAI
No vendor-released patch identified at time of analysis - the references contain only the vendor homepage (http://phpgurukul.com) and a public POC (https://github.com/VasilVK/CVE/tree/main/CVE-2025-50490), with no fixed version. As specific compensating controls: modify emp-changepassword.php to destroy and regenerate the session on password change (call session_regenerate_id(true) and invalidate all other active sessions for that user), which directly closes the flaw but requires users to re-authenticate; shorten server-side session lifetimes and enforce idle/absolute timeouts to limit the window a stale token stays valid; set Secure, HttpOnly, and SameSite attributes on session cookies and enforce HTTPS to reduce the chance an attacker captures a token in the first place; and restrict access to the /elms/ employee panel to trusted networks or a VPN if the application is internet-facing. Because this is an unmaintained-style educational PHP app, evaluate migrating off it for production use.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today