CVE-2025-70146

CVE-2025-70146 is a missing authentication vulnerability affecting multiple administrative action scripts under the /admin/ directory in ProjectWorlds Online Time Table Generator 1.0. This flaw, associated with CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization), enables remote attackers to execute unauthorized administrative operations, such as adding or deleting records, by sending direct HTTP requests to the affected endpoints without requiring a valid session. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical severity due to its high impact on integrity and availability with no privileges required.

Any remote attacker with network access can exploit this vulnerability without authentication or user interaction, simply by crafting HTTP requests to the unprotected /admin/ endpoints. Successful exploitation allows full unauthorized control over administrative functions, potentially leading to data manipulation, deletion of critical records, or disruption of the application's timetable generation services.

References include the project page at https://projectworlds.com/online-time-table-generator-php-mysql/ and a detailed analysis at https://youngkevinn.github.io/posts/CVE-2025-70146-OTTTG-Unauth-Deletion/, which cover the vulnerability discovery and exploitation details. Security practitioners should review these for reproduction steps and apply updates if available from the vendor, while implementing network controls to block unauthenticated access to /admin/ paths as an interim mitigation.