VDB
CVE-2025-4012
CVE-2025-4012
PUBLISHED
CVSS 5.099999904632568 MEDIUM
A vulnerability was found in playeduxyz PlayEdu 开源培训系统 up to 1.8 and classified as problematic. This issue affects some unknown processing of the file /api/backend/v1/user/create of the component User Avatar Handler. The manipulation of the argument Avatar leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
EPSS 0.37% · 59.4th percentile
Risk Scores
CVSS 4.0
5.099999904632568
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.37%
59.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| playeduos | playedu | 0 |
| playeduxyz | PlayEdu 开源培训系统 | 1.1, 1.3, 1.4 |
Exploit Intelligence
- CIRCL seen: CVE-2025-4012 (circl-sighting)
- VDB-306365 | playeduxyz PlayEdu 开源培训系统 User Avatar create server-side request forgery (circl)
- VDB-306365 | CTI Indicators (IOB, IOC, IOA) (circl)
- Submit #558283 | https://gitee.com/playeduxyz/playedu v1.8 SSRF (circl)
- https://github.com/Bae-ke/cve/issues/3 (cve.org)
Timeline
- Apr 28, 2025 EPSS Score
- Apr 28, 2025 CVE Published
- Apr 28, 2025 PoC Published
- Apr 28, 2025 CVE Updated
- May 10, 2025 EPSS Score
- May 22, 2025 EPSS Score
- May 23, 2025 Coalition ESS Score
- Jun 3, 2025 EPSS Score
- Jun 15, 2025 EPSS Score
- Jun 27, 2025 EPSS Score
- Jul 9, 2025 EPSS Score
- Jul 21, 2025 EPSS Score
References
- VDB-306365 | playeduxyz PlayEdu 开源培训系统 User Avatar create server-side request forgery vdb
- VDB-306365 | CTI Indicators (IOB, IOC, IOA) url
- Submit #558283 | https://gitee.com/playeduxyz/playedu v1.8 SSRF third-party-advisory
- https://github.com/Bae-ke/cve/issues/3 exploit
- https://nvd.nist.gov/vuln/detail/CVE-2025-4012 advisory