StudentManage
CVE-2025-50585
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable admin endpoint (AV:N/AC:L) requires a low-privilege authenticated session (PR:L), and SQL injection grants full read/write/delete over the database (C:H/I:H/A:H).
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
StudentManage v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/adminStudentUrl.
AnalysisAI
SQL injection in DayCloud StudentManage v1.0 lets an authenticated attacker inject arbitrary SQL through the /admin/adminStudentUrl component, exposing the full backing database. Rated CVSS 8.8, the flaw yields complete confidentiality, integrity, and availability impact against the application data store. Publicly available exploit code exists (referenced GitHub issue), though the product is an obscure open-source project on Gitee with no evidence of active exploitation.
Technical ContextAI
StudentManage is a small PHP/Java-style student administration web application distributed via Gitee (DayCloud/student-manage). The vulnerability is a classic CWE-89 SQL Injection: user-controlled input reaching the /admin/adminStudentUrl endpoint is concatenated into a SQL query without parameterization or sufficient sanitization, allowing an attacker to alter query structure. Because the injection sits in an administrative student-management handler, it interacts directly with the underlying relational database (typically MySQL for these Gitee CRUD apps), enabling data extraction, modification, and potentially stacked queries depending on driver configuration. The single affected build is identified by cpe:2.3:a:daycloud:studentmanage:1.0.
RemediationAI
No vendor-released patch or fixed version identified at time of analysis - only the upstream source repository (https://gitee.com/DayCloud/student-manage) and the exploit report (https://github.com/SimonKang949/Vulnerabilities/issues/2) are available. Primary fix is to rewrite the /admin/adminStudentUrl database access to use parameterized queries/prepared statements and to validate/whitelist input types; if you maintain a fork, apply this at the DAO layer. As compensating controls until a fix ships: place the /admin/ routes behind a WAF with SQLi signatures (trade-off: signature bypass is possible), restrict network access to the admin interface to trusted management IPs or a VPN (trade-off: reduces legitimate remote admin convenience), enforce least-privilege on the database account used by the app so injection cannot reach other schemas or run stacked/administrative commands (trade-off: requires DB grant review), and monitor DB logs for anomalous query patterns. Given the product's obscurity, migrating off StudentManage 1.0 entirely is a reasonable option for production environments.
More in Studentmanage
View allCross-site request forgery in StudentManage v1.0 (DayCloud) allows a remote attacker to perform unauthorized state-chang
Stored XSS in DayCloud's StudentManage v1.0 allows an authenticated administrative user to inject malicious JavaScript v
Stored cross-site scripting in DayCloud StudentManage v1.0 allows an authenticated administrator to inject malicious Jav
Stored cross-site scripting in DayCloud's StudentManage v1.0 allows authenticated administrators to inject malicious Jav
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today