CVE-2025-25950
Published: 03 March 2025
Description
Incorrect access control in the component /rest/staffResource/update of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts, including an Administrator account.
Security Summary
CVE-2025-25950 is an incorrect access control vulnerability affecting the /rest/staffResource/update component in Serosoft Solutions Pvt Ltd's Academia Student Information System (SIS) EagleR version 1.0.118. Published on 2025-03-03, the flaw enables unauthorized creation and modification of user accounts, including Administrator accounts, due to improper enforcement of access controls. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-284 (Improper Access Control).
The vulnerability can be exploited by a low-privileged (PR:L) authenticated user over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows the attacker to create or modify accounts, including escalating privileges to Administrator level, resulting in high impacts to confidentiality (C:H) and integrity (I:H) without affecting availability (A:N).
Vulnerability research, including potential proof-of-concepts, is documented in GitHub repositories such as https://github.com/VvV1per/Vulnerability-Research-CVEs/tree/main/CVE-2025-25950, https://github.com/VvV1per/Vulnerability-Research-CVEs/tree/main/CVE-2024-89637, and https://github.com/el-viper/cve-research/tree/main/CVEs/CVE-2025-25950. No official advisories or patches are referenced in available details.
Details
- CWE(s)