An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The vulnerability allows attacker-controlled request construction, using predictable identifiers such as user IDs and names, to directly generate URLs that point to user profile images. Because the application omits authorization checks and does not enforce rate‑limiting, an unauthenticated or unauthorized actor can retrieve profile pictures simply by guessing or knowing a user’s identifier. The result is a confidentiality breach where personal images are exposed to unintended individuals. The weakness aligns with CWE‑284 (Improper Authorization) and CWE‑639 (Privilege Dropping).

Affected systems are installations of INDEX‑EDUCATION PRONOTE running any build before version 2025.2.8. The vulnerable components are index.js and composeUrlImgPhotoIndividu. No additional sub‑feature versions are disclosed, so the entire application is considered affected for pre‑2025.2.8 releases.

CVSS score of 5.3 indicates a medium severity vulnerability. EPSS data is unavailable, but the lack of rate limiting and direct URL construction means exploitation requires only a simple HTTP client and knowledge of a user identifier; the attack is thus straightforward. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation yet, but the low barrier to access user images warrants prompt remediation. The likely attack vector is a direct HTTP GET request to a constructed image URL, inferred from the description since explicit attack steps are not provided.