Skip to main content

Online Student Clearance System CVE-2025-60305

HIGH
Improper Access Control (CWE-284)
2025-10-10 cve@mitre.org
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable web app exploitable with a low-privilege account (PR:L) and no user interaction; forged admin session yields full control over data, so C/I/A all High.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:49 vuln.today

DescriptionCVE.org

SourceCodester Online Student Clearance System 1.0 is vulnerable to Incorrect Access Control. The application contains a logic flaw which allows low privilege users can forge high privileged sessions and perform sensitive operations.

AnalysisAI

Privilege escalation in SourceCodester Online Student Clearance System 1.0 allows an authenticated low-privilege user to forge a high-privileged (administrator) session through a broken access-control logic flaw and then perform sensitive administrative operations. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and carries a modest EPSS score of 0.40% (32nd percentile), indicating no evidence of widespread active exploitation yet. The flaw is authenticated (PR:L) but network-reachable and low-complexity, yielding full confidentiality, integrity, and availability impact.

Technical ContextAI

The affected software is SourceCodester Online Student Clearance System 1.0, a PHP/MySQL web application (CPE cpe:2.3:a:senior-walter:online_student_clearance_system:1.0) used by academic institutions to manage student clearance workflows. The root cause is CWE-284 (Improper Access Control): the application relies on client-controllable or otherwise trust-misplaced session/role attributes rather than enforcing server-side authorization checks on privileged actions. As a result, a session belonging to a low-privilege account (e.g., a student) can be manipulated to assert an administrator role, effectively bypassing the authorization boundary that should gate sensitive functions. This is a classic missing-function-level-access-control / horizontal-to-vertical privilege escalation pattern common in small PHP applications that check authentication but not authorization per action.

RemediationAI

No vendor-released patch identified at time of analysis - the project is a SourceCodester sample application and no fixed version is referenced in the available data. Because no upstream fix exists, apply compensating controls: enforce server-side authorization on every sensitive endpoint by validating the user's role from the trusted server-side session store on each request rather than from any client-supplied parameter or cookie value; specifically restrict administrative pages/actions to verified admin accounts and reject role/ID values passed in requests. Where feasible, place the application behind an authenticating reverse proxy or WAF that blocks direct access to admin routes for non-admin sessions (trade-off: requires per-route rules and may break legitimate admin access if misconfigured), and restrict network exposure of the application to trusted campus networks or VPN to reduce the pool of potential low-privilege attackers. Given this is unmaintained sample code, the most durable remediation is to migrate off the SourceCodester 1.0 codebase or have the authorization logic re-implemented and audited. Consult the public technical write-up at https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-60305.md to identify the exact vulnerable parameters to filter.

Share

CVE-2025-60305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy