CVE-2025-48372

Schule Has Insecure OTP Length, is Susceptible to Brute-Force Attacks

Description

Schule is open-source school management system software. The generateOTP() function generates a 4-digit numeric One-Time Password (OTP). Prior to version 1.0.1, even if a secure random number generator is used, the short length and limited range (1000–9999) results in only 9000 possible combinations. This small keyspace makes the OTP highly vulnerable to brute-force attacks, especially in the absence of strong rate-limiting or lockout mechanisms. Version 1.0.1 fixes the issue.

References

Link	Tags
https://github.com/schule111/Schule/security/advisories/GHSA-6c48-67xx-vqgc
https://github.com/schule111/Schule/commit/cd53abbea93943f2c60a5281d45bebadc57636b7

Frequently Asked Questions

What is the severity of CVE-2025-48372?: CVE-2025-48372 has been scored as a medium severity vulnerability.
How to fix CVE-2025-48372?: To fix CVE-2025-48372, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-48372 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-48372 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-48372?: CVE-2025-48372 affects schule111 Schule.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-521 – Weak Password Requirements

References

Frequently Asked Questions