CVE-2025-4012

Summary

A vulnerability was found in playeduxyz PlayEdu 开源培训系统 up to 1.8 and classified as problematic. This issue affects some unknown processing of the file /api/backend/v1/user/create of the component User Avatar Handler. The manipulation of the argument Avatar leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
playeduxyzPlayEdu 开源培训系统1.0affected
playeduxyzPlayEdu 开源培训系统1.1affected
playeduxyzPlayEdu 开源培训系统1.2affected
playeduxyzPlayEdu 开源培训系统1.3affected
playeduxyzPlayEdu 开源培训系统1.4affected
playeduxyzPlayEdu 开源培训系统1.5affected
playeduxyzPlayEdu 开源培训系统1.6affected
playeduxyzPlayEdu 开源培训系统1.7affected
playeduxyzPlayEdu 开源培训系统1.8affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References