CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-48375: Schule Missing Rate Limiting on OTP Email Requests – Susceptible to Abuse & DoS

6.6 CVSS

Description

Schule is open-source school management system software. Prior to version 1.0.1, the file forgot_password.php (or equivalent endpoint responsible for email-based OTP generation) lacks proper rate limiting controls, allowing attackers to abuse the OTP request functionality. This vulnerability can be exploited to send an excessive number of OTP emails, leading to potential denial-of-service (DoS) conditions or facilitating user harassment through email flooding. Version 1.0.1 fixes the issue.

Classification

CVE ID: CVE-2025-48375

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.6

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling

Affected Products

Vendor: schule111

Product: Schule

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 17.47% (scored less or equal to compared to others)

EPSS Date: 2025-06-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48375
https://github.com/schule111/Schule/security/advisories/GHSA-h3f2-mc85-67gc

Timeline