CRITICAL🇵🇱 Wersja polska

CVE-2025-26199

CVSS 9.8v3.1pub. 2025-06-18upd. 2025-07-09

CloudClassroom-PHP-Project v1.0 is affected by an insecure credential transmission vulnerability. The application transmits passwords over unencrypted HTTP during the login process, exposing sensitive credentials to potential interception by network-based attackers. A remote attacker with access to the same network (e.g., public Wi-Fi or compromised router) can capture login credentials via Man-in-the-Middle (MitM) techniques. If the attacker subsequently uses the credentials to log in and exploit administrative functions (e.g., file upload), this may lead to remote code execution depending on the environment.

🤖 AI Analysis
How it works

The application does not use TLS/HTTPS encryption when transmitting the login form, which means that passwords are sent as plain text over the network. An attacker present on the same network (e.g., public Wi-Fi or compromised router) can perform a Man-in-the-Middle (MitM) attack and intercept transmitted authentication data. After obtaining login credentials, the attacker can log into the application and exploit available administrative functions — in particular the file upload function — which depending on the environment configuration may lead to remote code execution (RCE).

Impact

An attacker can intercept user login credentials, take over their accounts, and in case of obtaining administrative access — lead to remote code execution on the server, resulting in complete breach of system confidentiality, integrity, and availability.

Mitigation & patch

The application should be configured to handle only HTTPS connections with a valid TLS certificate and disable access through unencrypted HTTP. Patches available from the vendor should be applied according to references. As an interim remedial measure, it is recommended to place the application behind a reverse proxy enforcing HTTPS (e.g., nginx, Apache) and consider implementing HTTP Strict Transport Security (HSTS).

Who is affected

CloudClassroom-PHP-Project v1.0 (project by Vishalmathur)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vishalmathur Cloudclassroom PHP Project

    APP
    Vishalmathur
    1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-46179CRITICAL9.8PL ✓ten sam produkt

SQL Injection w CloudClassroom-PHP — plik askquery.php

CVE-2025-26198CRITICAL9.8PL ✓ten sam produkt

SQL Injection w CloudClassroom-PHP — ominięcie uwierzytelnienia admina

CVE-2025-45542HIGH7.3ten sam produkt

SQL injection vulnerability in the registrationform endpoint of CloudClassroom-PHP-Project v1.0. The pass para...

CVE-2024-57459HIGH7.3ten sam produkt

A time-based SQL injection vulnerability exists in mydetailsstudent.php in the CloudClassroom PHP Project 1.0....

CVE-2025-44608MEDIUM6.5ten sam produkt

CloudClassroom-PHP Project v1.0 was discovered to contain a SQL injection vulnerability via the viewid paramet...