{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-69727", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-16T19:05:49.605Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-03-16T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-16T18:30:05.648Z"}, "descriptions": [{"lang": "en", "value": "An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images based solely on predictable identifiers such as user IDs and names. Due to missing authorization checks and lack of rate-limiting when generating or accessing these URLs, an unauthenticated or unauthorized actor may retrieve profile pictures of users by crafting requests with guessed or known identifiers."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://demo.index-education.net/pronote"}, {"url": "https://github.com/0xZeroSec/CVE-2025-69727"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-639", "lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T19:03:43.514849Z", "id": "CVE-2025-69727", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:05:49.605Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69727", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T19:03:43.514849Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:04:37.528Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://demo.index-education.net/pronote"}, {"url": "https://github.com/0xZeroSec/CVE-2025-69727"}], "descriptions": [{"lang": "en", "value": "An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images based solely on predictable identifiers such as user IDs and names. Due to missing authorization checks and lack of rate-limiting when generating or accessing these URLs, an unauthenticated or unauthorized actor may retrieve profile pictures of users by crafting requests with guessed or known identifiers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-16T18:30:05.648Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69727", "state": "PUBLISHED", "dateUpdated": "2026-03-16T19:05:49.605Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-16T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images based solely on predictable identifiers such as user IDs and names. Due to missing authorization checks and lack of rate-limiting when generating or accessing these URLs, an unauthenticated or unauthorized actor may retrieve profile pictures of users by crafting requests with guessed or known identifiers."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso incorrecto existe en INDEX-EDUCATION PRONOTE anterior a 2025.2.8. Los componentes afectados (index.js y composeUrlImgPhotoIndividu) permiten la construcci\u00f3n de URL directas a im\u00e1genes de perfil de usuario bas\u00e1ndose \u00fanicamente en identificadores predecibles como ID de usuario y nombres. Debido a la falta de comprobaciones de autorizaci\u00f3n y la ausencia de limitaci\u00f3n de velocidad al generar o acceder a estas URL, un actor no autenticado o no autorizado puede recuperar im\u00e1genes de perfil de usuarios elaborando solicitudes con identificadores adivinados o conocidos."}], "id": "CVE-2025-69727", "lastModified": "2026-05-05T20:51:09.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-16T19:16:14.560", "references": [{"source": "cve@mitre.org", "url": "https://demo.index-education.net/pronote"}, {"source": "cve@mitre.org", "url": "https://github.com/0xZeroSec/CVE-2025-69727"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2025.2.8)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "pronote", "vendor": "index-education"}], "analysis": {"en": {"generated_at": "2026-03-16T23:39:54.420014+00:00", "value": {"mitigation_remediation": ["Upgrade INDEX\u2011EDUCATION PRONOTE to version 2025.2.8 or later to address the access control issue.", "If an immediate upgrade is not possible, enforce authentication on image URLs or implement forced access control checks to ensure only authorized users can retrieve profile pictures.", "Introduce rate limiting on image retrieval endpoints to reduce the risk of automated enumeration.", "Monitor web server logs for abnormal or excessive access patterns to user profile image URLs.", "Check the vendor\u2019s website or security advisory feed for any further updates or patches."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Disclosure of User Images"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of INDEX\u2011EDUCATION PRONOTE running any build before version 2025.2.8. The vulnerable components are index.js and composeUrlImgPhotoIndividu. No additional sub\u2011feature versions are disclosed, so the entire application is considered affected for pre\u20112025.2.8 releases.", "description_and_impact": "An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The vulnerability allows attacker-controlled request construction, using predictable identifiers such as user IDs and names, to directly generate URLs that point to user profile images. Because the application omits authorization checks and does not enforce rate\u2011limiting, an unauthenticated or unauthorized actor can retrieve profile pictures simply by guessing or knowing a user\u2019s identifier. The result is a confidentiality breach where personal images are exposed to unintended individuals. The weakness aligns with CWE\u2011284 (Improper Authorization) and CWE\u2011639 (Privilege Dropping).", "risk_and_exploitability": "CVSS score of 5.3 indicates a medium severity vulnerability. EPSS data is unavailable, but the lack of rate limiting and direct URL construction means exploitation requires only a simple HTTP client and knowledge of a user identifier; the attack is thus straightforward. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation yet, but the low barrier to access user images warrants prompt remediation. The likely attack vector is a direct HTTP GET request to a constructed image URL, inferred from the description since explicit attack steps are not provided."}}}}, "created": "2026-03-17T09:55:33.986025+00:00", "title": "Unauthenticated Retrieval of User Profile Images due to Missing Access Control in Pront\u00e9", "updated": "2026-03-23T14:01:01.155552+00:00", "vendors": ["index-education", "index-education$PRODUCT$pronote"]}