CVE-2025-22931

Published: Apr 3, 2025Modified: Jul 17, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members.

Affected (1)

Products: Os4ed: Opensis

Os4ed

1 product

Opensis

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Os4ed Opensis	From 7.0 to 9.1

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://github.com/OS4ED/openSIS-Classic

Source: cve@mitre.org

Product

https://github.com/esusalla/vulnerability-research/tree/main/CVE-2025-22931

Source: cve@mitre.org

Third Party Advisory

Timeline

No history available yet.