{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12918", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-11-08T16:46:55.435Z", "datePublished": "2025-11-09T08:02:05.919Z", "dateUpdated": "2025-11-14T17:45:18.489Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-11-09T08:02:05.919Z"}, "title": "yungifez Skuul School Management System View Fee Invoice fee-invoices resource injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-99", "lang": "en", "description": "Improper Control of Resource Identifiers"}]}], "affected": [{"vendor": "yungifez", "product": "Skuul School Management System", "versions": [{"version": "2.6.0", "status": "affected"}, {"version": "2.6.1", "status": "affected"}, {"version": "2.6.2", "status": "affected"}, {"version": "2.6.3", "status": "affected"}, {"version": "2.6.4", "status": "affected"}, {"version": "2.6.5", "status": "affected"}], "modules": ["View Fee Invoice"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in yungifez Skuul School Management System up to 2.6.5. The impacted element is an unknown function of the file /dashboard/fees/fee-invoices/ of the component View Fee Invoice. Performing manipulation of the argument invoice_id results in improper control of resource identifiers. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Eine Schwachstelle wurde in yungifez Skuul School Management System up to 2.6.5 gefunden. Hierbei betrifft es unbekannten Programmcode der Datei /dashboard/fees/fee-invoices/ der Komponente View Fee Invoice. Durch Manipulation des Arguments invoice_id mit unbekannten Daten kann eine improper control of resource identifiers-Schwachstelle ausgenutzt werden. Der Angriff l\u00e4sst sich \u00fcber das Netzwerk starten. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Es wird angegeben, dass die Ausnutzbarkeit schwierig ist. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "LOW"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.1, "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2025-11-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-11-08T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-11-08T17:51:59.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Zeeshan Khan (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.331636", "name": "VDB-331636 | yungifez Skuul School Management System View Fee Invoice fee-invoices resource injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.331636", "name": "VDB-331636 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.680686", "name": "Submit #680686 | yungifez Skuul v2.6.5 Improper Access Controls", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041", "tags": ["related"]}, {"url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041#steps-to-reproduce", "tags": ["exploit"]}]}, "adp": [{"references": [{"url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041#steps-to-reproduce", "tags": ["exploit"]}, {"url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041", "tags": ["exploit"]}, {"url": "https://vuldb.com/?submit.680686", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-14T17:45:14.488659Z", "id": "CVE-2025-12918", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T17:45:18.489Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12918", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-14T17:45:14.488659Z"}}}], "references": [{"url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041#steps-to-reproduce", "tags": ["exploit"]}, {"url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041", "tags": ["exploit"]}, {"url": "https://vuldb.com/?submit.680686", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T17:44:59.802Z"}}], "cna": {"title": "yungifez Skuul School Management System View Fee Invoice fee-invoices resource injection", "credits": [{"lang": "en", "type": "reporter", "value": "Zeeshan Khan (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.1, "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "yungifez", "modules": ["View Fee Invoice"], "product": "Skuul School Management System", "versions": [{"status": "affected", "version": "2.6.0"}, {"status": "affected", "version": "2.6.1"}, {"status": "affected", "version": "2.6.2"}, {"status": "affected", "version": "2.6.3"}, {"status": "affected", "version": "2.6.4"}, {"status": "affected", "version": "2.6.5"}]}], "timeline": [{"lang": "en", "time": "2025-11-08T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-11-08T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-11-08T17:51:59.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.331636", "name": "VDB-331636 | yungifez Skuul School Management System View Fee Invoice fee-invoices resource injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.331636", "name": "VDB-331636 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.680686", "name": "Submit #680686 | yungifez Skuul v2.6.5 Improper Access Controls", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041", "tags": ["related"]}, {"url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041#steps-to-reproduce", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in yungifez Skuul School Management System up to 2.6.5. The impacted element is an unknown function of the file /dashboard/fees/fee-invoices/ of the component View Fee Invoice. Performing manipulation of the argument invoice_id results in improper control of resource identifiers. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Eine Schwachstelle wurde in yungifez Skuul School Management System up to 2.6.5 gefunden. Hierbei betrifft es unbekannten Programmcode der Datei /dashboard/fees/fee-invoices/ der Komponente View Fee Invoice. Durch Manipulation des Arguments invoice_id mit unbekannten Daten kann eine improper control of resource identifiers-Schwachstelle ausgenutzt werden. Der Angriff l\u00e4sst sich \u00fcber das Netzwerk starten. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Es wird angegeben, dass die Ausnutzbarkeit schwierig ist. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-99", "description": "Improper Control of Resource Identifiers"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-11-09T08:02:05.919Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12918", "state": "PUBLISHED", "dateUpdated": "2025-11-14T17:45:18.489Z", "dateReserved": "2025-11-08T16:46:55.435Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-11-09T08:02:05.919Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yungifez:skuul:*:*:*:*:*:*:*:*", "matchCriteriaId": "9993017D-E25A-4959-91D8-4A37A6B6A03B", "versionEndIncluding": "2.6.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in yungifez Skuul School Management System up to 2.6.5. The impacted element is an unknown function of the file /dashboard/fees/fee-invoices/ of the component View Fee Invoice. Performing manipulation of the argument invoice_id results in improper control of resource identifiers. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2025-12918", "lastModified": "2025-12-11T23:36:13.693", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-11-09T08:15:38.230", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041#steps-to-reproduce"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.331636"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.331636"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.680686"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041#steps-to-reproduce"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.680686"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-99"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"created": "2025-11-10T09:33:16.729119+00:00", "updated": "2025-11-10T09:33:16.729147+00:00", "vendors": ["yungifez", "yungifez$PRODUCT$skuul_school_management_system"]}