Skip to main content

StudentManage CVE-2025-50585

HIGH
SQL Injection (CWE-89)
2025-07-18 cve@mitre.org
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable admin endpoint (AV:N/AC:L) requires a low-privilege authenticated session (PR:L), and SQL injection grants full read/write/delete over the database (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 01:30 vuln.today

DescriptionCVE.org

StudentManage v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/adminStudentUrl.

AnalysisAI

SQL injection in DayCloud StudentManage v1.0 lets an authenticated attacker inject arbitrary SQL through the /admin/adminStudentUrl component, exposing the full backing database. Rated CVSS 8.8, the flaw yields complete confidentiality, integrity, and availability impact against the application data store. Publicly available exploit code exists (referenced GitHub issue), though the product is an obscure open-source project on Gitee with no evidence of active exploitation.

Technical ContextAI

StudentManage is a small PHP/Java-style student administration web application distributed via Gitee (DayCloud/student-manage). The vulnerability is a classic CWE-89 SQL Injection: user-controlled input reaching the /admin/adminStudentUrl endpoint is concatenated into a SQL query without parameterization or sufficient sanitization, allowing an attacker to alter query structure. Because the injection sits in an administrative student-management handler, it interacts directly with the underlying relational database (typically MySQL for these Gitee CRUD apps), enabling data extraction, modification, and potentially stacked queries depending on driver configuration. The single affected build is identified by cpe:2.3:a:daycloud:studentmanage:1.0.

RemediationAI

No vendor-released patch or fixed version identified at time of analysis - only the upstream source repository (https://gitee.com/DayCloud/student-manage) and the exploit report (https://github.com/SimonKang949/Vulnerabilities/issues/2) are available. Primary fix is to rewrite the /admin/adminStudentUrl database access to use parameterized queries/prepared statements and to validate/whitelist input types; if you maintain a fork, apply this at the DAO layer. As compensating controls until a fix ships: place the /admin/ routes behind a WAF with SQLi signatures (trade-off: signature bypass is possible), restrict network access to the admin interface to trusted management IPs or a VPN (trade-off: reduces legitimate remote admin convenience), enforce least-privilege on the database account used by the app so injection cannot reach other schemas or run stacked/administrative commands (trade-off: requires DB grant review), and monitor DB logs for anomalous query patterns. Given the product's obscurity, migrating off StudentManage 1.0 entirely is a reasonable option for production environments.

Share

CVE-2025-50585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy