Online Student Clearance System
CVE-2025-60305
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable web app exploitable with a low-privilege account (PR:L) and no user interaction; forged admin session yields full control over data, so C/I/A all High.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
SourceCodester Online Student Clearance System 1.0 is vulnerable to Incorrect Access Control. The application contains a logic flaw which allows low privilege users can forge high privileged sessions and perform sensitive operations.
AnalysisAI
Privilege escalation in SourceCodester Online Student Clearance System 1.0 allows an authenticated low-privilege user to forge a high-privileged (administrator) session through a broken access-control logic flaw and then perform sensitive administrative operations. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and carries a modest EPSS score of 0.40% (32nd percentile), indicating no evidence of widespread active exploitation yet. The flaw is authenticated (PR:L) but network-reachable and low-complexity, yielding full confidentiality, integrity, and availability impact.
Technical ContextAI
The affected software is SourceCodester Online Student Clearance System 1.0, a PHP/MySQL web application (CPE cpe:2.3:a:senior-walter:online_student_clearance_system:1.0) used by academic institutions to manage student clearance workflows. The root cause is CWE-284 (Improper Access Control): the application relies on client-controllable or otherwise trust-misplaced session/role attributes rather than enforcing server-side authorization checks on privileged actions. As a result, a session belonging to a low-privilege account (e.g., a student) can be manipulated to assert an administrator role, effectively bypassing the authorization boundary that should gate sensitive functions. This is a classic missing-function-level-access-control / horizontal-to-vertical privilege escalation pattern common in small PHP applications that check authentication but not authorization per action.
RemediationAI
No vendor-released patch identified at time of analysis - the project is a SourceCodester sample application and no fixed version is referenced in the available data. Because no upstream fix exists, apply compensating controls: enforce server-side authorization on every sensitive endpoint by validating the user's role from the trusted server-side session store on each request rather than from any client-supplied parameter or cookie value; specifically restrict administrative pages/actions to verified admin accounts and reject role/ID values passed in requests. Where feasible, place the application behind an authenticating reverse proxy or WAF that blocks direct access to admin routes for non-admin sessions (trade-off: requires per-route rules and may break legitimate admin access if misconfigured), and restrict network exposure of the application to trusted campus networks or VPN to reduce the pool of potential low-privilege attackers. Given this is unmaintained sample code, the most durable remediation is to migrate off the SourceCodester 1.0 codebase or have the authorization logic re-implemented and audited. Consult the public technical write-up at https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-60305.md to identify the exact vulnerable parameters to filter.
A vulnerability was found in SourceCodester Online Student Clearance System 1.0. Rated medium severity (CVSS 6.9), this
A vulnerability was found in SourceCodester Online Student Clearance System 1.0. Rated medium severity (CVSS 6.9), this
A vulnerability classified as critical was found in SourceCodester Online Student Clearance System 1.0. Rated medium sev
A vulnerability classified as problematic was found in SourceCodester Online Student Clearance System 1.0. Rated medium
A vulnerability classified as problematic has been found in SourceCodester Online Student Clearance System 1.0. Rated me
A vulnerability, which was classified as problematic, has been found in SourceCodester Online Student Clearance System 1
A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. R
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today