CRITICAL🇵🇱 Wersja polska

CVE-2025-1144

CVSS 9.8v3.1pub. 2025-02-11upd. 2026-04-15

School Affairs System from Quanxun has an Exposure of Sensitive Information, allowing unauthenticated attackers to view specific pages and obtain database information as well as plaintext administrator credentials.

🤖 AI Analysis
How it works

The vulnerability consists of the lack of proper access control mechanisms for selected pages of the web application — an attacker without any authentication can access them directly. On these pages, the application discloses sensitive system information, including database contents and administrator credentials stored in unencrypted plaintext. This has been classified as CWE-497, which is the disclosure of sensitive system information to unauthorized persons.

Impact

An attacker can obtain complete administrator system credentials in plaintext form, which in practice means full takeover of the application, its data, and potentially the infrastructure on which it runs.

Mitigation & patch

Patches available from the vendor should be applied in accordance with references published by TWCERT (https://www.twcert.org.tw/en/cp-139-8416-b6cba-2.html). Until the fix is deployed, it is recommended to restrict access to the application at the network level (firewall, VPN) exclusively to trusted IP addresses.

Who is affected

School Affairs System produced by Quanxun — specific versions indicated in the vendor references (TWCERT).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References