CVE-2025-3150 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2025-3150?

CVE-2025-3150 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to perform cross-site request forgery (CSRF) attacks against the itning Student Homework Management System. Remote attackers can trick authenticated users into executing unintended actions on the system. All users of affected versions are potentially impacted.

📋 TL;DR

This vulnerability allows attackers to perform cross-site request forgery (CSRF) attacks against the itning Student Homework Management System. Remote attackers can trick authenticated users into executing unintended actions on the system. All users of affected versions are potentially impacted.

💻 Affected Systems

Products:

itning Student Homework Management System

Versions: up to version 1.2.7

Operating Systems: Any OS running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Student Homework Management System by Itning

View all CVEs affecting Student Homework Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify grades, delete assignments, or perform administrative actions as authenticated users, potentially compromising academic integrity and system functionality.

🟠

Likely Case

Attackers create malicious pages that trick logged-in teachers or administrators into performing unintended actions like modifying homework submissions or changing system settings.

🟢

If Mitigated

With proper CSRF protections and user awareness, impact is limited to failed attack attempts with no successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires user interaction (victim must visit malicious page while authenticated) but is technically simple to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider upgrading to version 1.2.8 or later if released, or implement CSRF protection manually.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF tokens to all state-changing forms and validate them server-side

Manual code modification required - add CSRF token generation and validation to form handlers

SameSite Cookie Attribute

all

Set SameSite=Strict or Lax on session cookies to prevent CSRF via cross-site requests

Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block CSRF patterns
Educate users about not clicking suspicious links while logged into the system

🔍 How to Verify

Check if Vulnerable:

Check if forms lack CSRF tokens and if SameSite cookie attributes are missing. Test by creating a malicious page that submits to system endpoints.

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify all forms include unique CSRF tokens that are validated server-side. Test that cross-origin form submissions fail.

📡 Detection & Monitoring

Log Indicators:

Multiple failed state-changing requests from same user in short time
Requests missing expected CSRF tokens

Network Indicators:

Cross-origin POST requests to system endpoints
Requests with Referer headers from external domains

SIEM Query:

web_requests WHERE (method = 'POST' OR method = 'PUT') AND (NOT csrf_token_valid OR missing_csrf_token) AND user_authenticated = true

📊 Metadata

CVE ID: CVE-2025-3150

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

EPSS Score: 0.16% exploit probability (36.4th percentile)

Published: April 3, 2025

Last Updated: August 13, 2025

🔗 References

https://gitee.com/nwtmd5/cve/issues/IBVLYH Exploit,Issue Tracking
https://vuldb.com/?ctiid.303055 Permissions Required,VDB Entry
https://vuldb.com/?id.303055 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.525408 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3150, you might also want to check these: