← Volver a CVEs
CVE-2025-60500
HIGH7.2
Descripcion
QDocs Smart School Management System 7.1 allows authenticated users with roles such as "accountant" or "admin" to bypass file type restrictions in the media upload feature by abusing the alternate YouTube URL option. This logic flaw permits uploading of arbitrary PHP files, which are stored in a web-accessible directory.
Detalles CVE
Puntuacion CVSS v3.17.2
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosHIGH
Interaccion usuarioNONE
Publicado10/21/2025
Ultima modificacion11/17/2025
Fuentenvd
Avistamientos honeypot0
Productos afectados
qdocs:smart_school
Debilidades (CWE)
CWE-434
Referencias
https://github.com/H4zaz/CVE-2025-60500(cve@mitre.org)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.