CVE-2025-48375

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-48375
Schule is open-source school management system software. Prior to version 1.0.1, the file forgot_password.php (or equivalent endpoint responsible for email-based OTP generation) lacks proper rate limiting controls, allowing attackers to abuse the OTP request functionality. This vulnerability can be exploited to send an excessive number of OTP emails, leading to potential denial-of-service (DoS) conditions or facilitating user harassment through email flooding. Version 1.0.1 fixes the issue.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/schule111/Schule/security/advisories/GHSA-h3f2-mc85-67gc Vendor Advisory Exploit
Configurations

Configuration 1 (hide)

cpe:2.3:a:schule111:schule_school_management_system:1.0.0:*:*:*:*:*:*:*
History

05 Sep 2025, 14:10

Type Values Removed Values Added
First Time Schule111 schule School Management System
Schule111
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.3
CPE cpe:2.3:a:schule111:schule_school_management_system:1.0.0:*:*:*:*:*:*:*
References () https://github.com/schule111/Schule/security/advisories/GHSA-h3f2-mc85-67gc - () https://github.com/schule111/Schule/security/advisories/GHSA-h3f2-mc85-67gc - Vendor Advisory, Exploit

28 May 2025, 14:58

Type Values Removed Values Added
Summary
  • (es) Schule es un software de gestión escolar de código abierto. Antes de la versión 1.0.1, el archivo forgot_password.php (o el endpoint equivalente responsable de la generación de OTP por correo electrónico) carecía de controles adecuados para limitar la velocidad de respuesta, lo que permitía a los atacantes abusar de la funcionalidad de solicitud de OTP. Esta vulnerabilidad puede explotarse para enviar un número excesivo de correos electrónicos de OTP, lo que podría generar denegaciones de servicio (DoS) o facilitar el acoso a los usuarios mediante la saturación de correo electrónico. La versión 1.0.1 corrige este problema.

23 May 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-23 16:15

Updated : 2025-09-05 14:10

NVD link : CVE-2025-48375

Mitre link : CVE-2025-48375

CVE.ORG link : CVE-2025-48375

JSON object : View

Products Affected

schule111

  • schule_school_management_system
CWE
CWE-770

Allocation of Resources Without Limits or Throttling