StudentManage
CVE-2025-50586
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CSRF inherently requires victim interaction, correcting NVD's UI:N to UI:R; limited confidentiality and integrity impact to application data only with no availability effect.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
StudentManage v1.0 was discovered to contain Cross-Site Request Forgery (CSRF).
AnalysisAI
Cross-site request forgery in StudentManage v1.0 (DayCloud) allows a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim by luring them to a malicious webpage that auto-submits forged requests to the application. All default installations of v1.0 are affected per CPE data; no patched release has been identified. A publicly available proof-of-concept exploit exists, though no active exploitation has been recorded in CISA KEV and EPSS sits at a very low 0.19%.
Technical ContextAI
StudentManage v1.0 is a web-based student management application developed by DayCloud and hosted on Gitee (CPE: cpe:2.3:a:daycloud:studentmanage:1.0:*:*:*:*:*:*:*). CWE-352 (Cross-Site Request Forgery) describes a failure to verify that state-changing HTTP requests originated from the application's own authenticated context. This occurs when the application does not implement synchronizer tokens, double-submit cookies, or validate HTTP Origin/Referer headers on sensitive endpoints. An attacker can embed a hidden or auto-submitting HTML form on any webpage they control; when an authenticated user visits it, the browser forwards the victim's session cookie with the forged request, causing the application to execute the action with the victim's privileges.
RemediationAI
No vendor-released patch has been identified at time of analysis. The primary fix is to implement anti-CSRF tokens (synchronizer token pattern or double-submit cookie) on all state-changing endpoints within the application. As an immediate compensating control with no functional trade-offs for same-origin users, set the session cookie attribute to SameSite=Strict or SameSite=Lax - modern browsers will block cross-origin POST submissions with this setting, though Lax still permits some top-level navigation GET requests. Validating the HTTP Origin or Referer header against an allowlist of trusted hostnames provides an additional layer; note this may require adjustment for reverse-proxy or load-balancer deployments where headers are rewritten. The publicly documented proof-of-concept is available at https://github.com/SimonKang949/Vulnerabilities/issues/1 and can be used to confirm whether mitigations are effective.
More in Studentmanage
View allSQL injection in DayCloud StudentManage v1.0 lets an authenticated attacker inject arbitrary SQL through the /admin/admi
Stored XSS in DayCloud's StudentManage v1.0 allows an authenticated administrative user to inject malicious JavaScript v
Stored cross-site scripting in DayCloud StudentManage v1.0 allows an authenticated administrator to inject malicious Jav
Stored cross-site scripting in DayCloud's StudentManage v1.0 allows authenticated administrators to inject malicious Jav
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today