CVE-2025-69727

Name of the Vulnerable Software and Affected Versions INDEX-EDUCATION PRONOTE versions prior to 2025.2.8

Description An issue exists in INDEX-EDUCATION PRONOTE that allows the construction of direct URLs to user profile images using predictable identifiers like user IDs and names. Missing authorization checks and rate-limiting when generating or accessing these URLs could allow an unauthenticated or unauthorized actor to retrieve user profile pictures by crafting requests with guessed or known identifiers. The affected components are index.js and composeUrlImgPhotoIndividu.

Recommendations Update to version 2025.2.8 or later.