PT-2025-42909 · Unknown · Qdocs Smart School Management System

Published

2025-10-21

Updated

2025-10-26

CVE-2025-60500

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions QDocs Smart School Management System version 7.1

Description The application allows authenticated users with roles such as “accountant” or “admin” to bypass file type restrictions within the media upload feature. This is achieved by exploiting the alternate YouTube URL option, which allows the upload of arbitrary PHP files. These files are then stored in a directory accessible via the web. The vulnerable feature involves uploading files through a media upload function. The affected API endpoint is not specified. The vulnerable parameter is not specified.

Recommendations Update to a newer version that contains a fix for this vulnerability.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2025-60500

Affected Products

Qdocs Smart School Management System

PT-2025-42909 · Unknown · Qdocs Smart School Management System

CVE-2025-60500

Weakness Enumeration

Related Identifiers

Affected Products

References · 6