CVE-2025-2351

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-2351
A vulnerability classified as critical was found in DayCloud StudentManage 1.0. This vulnerability affects unknown code of the file /admin/adminScoreUrl of the component Login Endpoint. The manipulation of the argument query leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

7.3 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

7.5 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://vuldb.com/?ctiid.299818
https://vuldb.com/?id.299818
https://vuldb.com/?submit.512793
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) Se detectó una vulnerabilidad crítica en DayCloud StudentManage 1.0. Esta vulnerabilidad afecta al código desconocido del archivo /admin/adminScoreUrl del componente Login Endpoint. La manipulación de la consulta de argumentos provoca una inyección SQL. El ataque puede iniciarse remotamente. Se ha hecho público el exploit y puede que sea utilizado. Este producto utiliza un sistema de entrega continua con versiones continuas. Por lo tanto, no se dispone de detalles de las versiones afectadas ni de actualizaciones. Se contactó al proveedor con antelación para informarle sobre esta divulgación, pero no respondió.

16 Mar 2025, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-16 23:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-2351

Mitre link : CVE-2025-2351

CVE.ORG link : CVE-2025-2351

JSON object : View

Products Affected

No product.

CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')