CVE-2025-48375

MEDIUM

Schule School Management System < 1.0.1 - Denial of Service via OTP Request Flooding

Title source: llm

Description

Schule is open-source school management system software. Prior to version 1.0.1, the file forgot_password.php (or equivalent endpoint responsible for email-based OTP generation) lacks proper rate limiting controls, allowing attackers to abuse the OTP request functionality. This vulnerability can be exploited to send an excessive number of OTP emails, leading to potential denial-of-service (DoS) conditions or facilitating user harassment through email flooding. Version 1.0.1 fixes the issue.

References (1)

Core 1

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/schule111/Schule/security/advisories/GHSA-h3f2-mc85-67gc

Scores

CVSS v3 5.3

EPSS 0.0036

EPSS Percentile 27.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (1)

schule111/schule_school_management_system 1.0.0

Published May 23, 2025

Tracked Since Feb 18, 2026