Login Sign Up

CVE-2025-13784

2.4 LOW
Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in the yungifez Skuul School Management System that allows attackers to inject malicious scripts into the SVG file handler component. The vulnerability affects systems up to version 2.6.5 and can be exploited remotely. School administrators and users accessing the affected dashboard are at risk.

💻 Affected Systems

Products:
  • yungifez Skuul School Management System
Versions: Up to and including 2.6.5
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the SVG file handler component at /dashboard/schools/1/edit endpoint

📦 What is this software?

Skuul by Yungifez

View all CVEs affecting Skuul →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, deface the application, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking leading to unauthorized access to school management data, or defacement of the application interface.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place, potentially only affecting the specific vulnerable component.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available in GitHub gists, requiring some authentication to reach the vulnerable endpoint

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to any version above 2.6.5 if released by vendor, or implement workarounds.

🔧 Temporary Workarounds

Input Validation for SVG Files

all

Implement server-side validation to sanitize SVG file content before processing

Content Security Policy

all

Implement CSP headers to restrict script execution from untrusted sources

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

  • Restrict access to the /dashboard/schools/1/edit endpoint using network controls or WAF rules
  • Implement output encoding for all user-controlled data rendered in the SVG handler

🔍 How to Verify

Check if Vulnerable:

Check if system version is 2.6.5 or earlier and test SVG file upload with script payloads at the vulnerable endpoint

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Test SVG file upload with XSS payloads and verify scripts are not executed

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads
  • Requests to /dashboard/schools/1/edit with script-like content
  • Multiple failed authentication attempts followed by SVG uploads

Network Indicators:

  • HTTP POST requests to vulnerable endpoint with SVG content containing script tags
  • Unusual outbound connections from the application server

SIEM Query:

source="web_server" AND (uri="/dashboard/schools/1/edit" AND method="POST" AND content_type="image/svg+xml")

📊 Metadata

CVE ID: CVE-2025-13784
CVSS v3 Score: 2.4 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (13th percentile)
Published: November 30, 2025
Last Updated: December 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13784, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)