e-Diary Management System
CVE-2025-50492
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable but requires first capturing a valid session token (AC:H); no prior app privileges needed (PR:N); session hijack compromises account confidentiality and integrity (C:H/I:H), not availability (A:N).
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper session invalidation in the component /edms/change-password.php of PHPGurukul e-Diary Management System v1 allows attackers to execute a session hijacking attack.
AnalysisAI
Session hijacking in PHPGurukul e-Diary Management System v1.0 stems from the /edms/change-password.php endpoint failing to invalidate existing sessions after a password change, so a previously captured session identifier remains valid and grants continued authenticated access. Remote attackers who obtain a victim's session token can therefore retain or take over the account even after the legitimate user rotates their password. There is no CISA KEV listing and no confirmed active exploitation; a GitHub reference (VasilVK/CVE) tracking this CVE likely contains a proof-of-concept or write-up, though PoC status is not explicitly confirmed in the source data, and EPSS is low at 0.55% (42nd percentile).
Technical ContextAI
The affected component is a PHP web application (cpe:2.3:a:phpgurukul:e-diary_management_system:1.0) - one of PHPGurukul's freely distributed CRUD-style projects commonly used for learning and small deployments. The flaw lives in change-password.php, the account credential-rotation handler, which should destroy or regenerate all active session identifiers upon a successful password change. It does not, meaning server-side session state is not tied to the current credential. NVD assigns CWE-20 (Improper Input Validation), but the described behavior is more precisely a session-management defect in the CWE-613 (Insufficient Session Expiration) / CWE-384 (Session Fixation) family; the CWE mapping should be treated as loose. The 'Information Disclosure' tag reflects that a persisted session exposes the victim's authenticated data to whoever holds the stale token.
RemediationAI
No vendor-released patch identified at time of analysis - PHPGurukul projects are frequently distributed without formal security releases, and the only references are the vendor site (http://e-diary.com) and the CVE repository (https://github.com/VasilVK/CVE/tree/main/CVE-2025-50492). As a code-level fix, modify change-password.php to call session_regenerate_id(true) and destroy all other active sessions for the account immediately after a successful password update, and invalidate server-side session records rather than relying on cookie expiry. As compensating controls until a fix is applied: set short session-cookie lifetimes and idle timeouts to shrink the window a stale token stays valid (trade-off: more frequent re-logins); enforce HttpOnly, Secure, and SameSite=Strict cookie attributes to reduce token theft via script or cross-site requests; and where feasible restrict the application behind authenticated VPN/network ACLs to limit who can reach /edms/ endpoints (trade-off: reduced accessibility for legitimate remote users).
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today