CVE-2025-48372

HIGH

Schule <1.0.1 - Info Disclosure

Title source: llm

Description

Schule is open-source school management system software. The generateOTP() function generates a 4-digit numeric One-Time Password (OTP). Prior to version 1.0.1, even if a secure random number generator is used, the short length and limited range (1000–9999) results in only 9000 possible combinations. This small keyspace makes the OTP highly vulnerable to brute-force attacks, especially in the absence of strong rate-limiting or lockout mechanisms. Version 1.0.1 fixes the issue.

References (2)

[Vendor Advisory] https://github.com/schule111/Schule/security/advisories/GHSA-6c48-67xx-vqgc

[Patch] https://github.com/schule111/Schule/commit/cd53abbea93943f2c60a5281d45bebadc57636b7

View Patch ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0030

EPSS Percentile 53.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-521

Status published

Products (1)

schule111/schule_school_management_system 1.0.0

Published May 22, 2025

Tracked Since Feb 18, 2026