Cyber Resilience

CVE-2025-4807

MediumPublic PoC

Published: 16 May 2025

Published
16 May 2025
Modified
28 May 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0159 82.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4807 is a medium-severity Exposure of Information Through Directory Listing (CWE-548) vulnerability in Senior-Walter Online Student Clearance System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked in the top 17.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A vulnerability classified as problematic has been identified in SourceCodester Online Student Clearance System version 1.0. The issue stems from exposure of information through directory listing, associated with CWE-548, CWE-552, and CWE-22, and can be triggered remotely without authentication by manipulating an unspecified component.

Unauthenticated remote attackers can exploit the flaw to enumerate directory contents and obtain sensitive information about the application's file structure. The CVSS 4.0 score of 6.9 reflects network attack vector, low complexity, and limited confidentiality impact with no integrity or availability effects.

Public references including a GitHub disclosure and Vuldb entries indicate the exploit has been made available, but no vendor advisories or patch details are referenced. The EPSS score remains flat at a low 0.0159 with no observed increase since publication.

EU & UK References

Vulnerability details

A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. This affects an unknown part. The manipulation leads to exposure of information through directory listing. It is possible to initiate the attack remotely. The…

more

exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Directory traversal and listing vulnerability enables File and Directory Discovery (T1083) by allowing unauthorized access and enumeration of server files and directories, as explicitly mapped in advisories.

Affected Assets

senior-walter
online student clearance system
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-552

Controls on authorized publication limit files and directories with nonpublic data from becoming accessible to external parties.

addresses: CWE-548

Detects information exposure through directory listings as unauthorized disclosure.

addresses: CWE-552

Controlling and documenting P2P file sharing prevents files and directories from being made accessible to external parties for unauthorized distribution.

addresses: CWE-552

Identifying and documenting file and directory locations allows restriction of access to external parties.

addresses: CWE-552

Protecting backup files ensures they are not accessible to external parties or unauthorized spheres.

addresses: CWE-552

Sanitizing equipment before off-site maintenance reduces the risk of files or directories containing sensitive data becoming accessible to external parties.

addresses: CWE-552

Policy restricts media access to authorized parties only, preventing exposure of resources to external or unauthorized actors.

addresses: CWE-552

Media access restrictions prevent files or directories from being accessible to external parties.

References