Skip to main content

StudentManage CVE-2025-50586

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-07-18 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

CSRF inherently requires victim interaction, correcting NVD's UI:N to UI:R; limited confidentiality and integrity impact to application data only with no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:13 vuln.today

DescriptionCVE.org

StudentManage v1.0 was discovered to contain Cross-Site Request Forgery (CSRF).

AnalysisAI

Cross-site request forgery in StudentManage v1.0 (DayCloud) allows a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim by luring them to a malicious webpage that auto-submits forged requests to the application. All default installations of v1.0 are affected per CPE data; no patched release has been identified. A publicly available proof-of-concept exploit exists, though no active exploitation has been recorded in CISA KEV and EPSS sits at a very low 0.19%.

Technical ContextAI

StudentManage v1.0 is a web-based student management application developed by DayCloud and hosted on Gitee (CPE: cpe:2.3:a:daycloud:studentmanage:1.0:*:*:*:*:*:*:*). CWE-352 (Cross-Site Request Forgery) describes a failure to verify that state-changing HTTP requests originated from the application's own authenticated context. This occurs when the application does not implement synchronizer tokens, double-submit cookies, or validate HTTP Origin/Referer headers on sensitive endpoints. An attacker can embed a hidden or auto-submitting HTML form on any webpage they control; when an authenticated user visits it, the browser forwards the victim's session cookie with the forged request, causing the application to execute the action with the victim's privileges.

RemediationAI

No vendor-released patch has been identified at time of analysis. The primary fix is to implement anti-CSRF tokens (synchronizer token pattern or double-submit cookie) on all state-changing endpoints within the application. As an immediate compensating control with no functional trade-offs for same-origin users, set the session cookie attribute to SameSite=Strict or SameSite=Lax - modern browsers will block cross-origin POST submissions with this setting, though Lax still permits some top-level navigation GET requests. Validating the HTTP Origin or Referer header against an allowlist of trusted hostnames provides an additional layer; note this may require adjustment for reverse-proxy or load-balancer deployments where headers are rewritten. The publicly documented proof-of-concept is available at https://github.com/SimonKang949/Vulnerabilities/issues/1 and can be used to confirm whether mitigations are effective.

Share

CVE-2025-50586 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy