CVE-2025-13785 is an information disclosure vulnerability identified in the yungifez Skuul School Management System, specifically affecting versions 2.6.0 through 2.6.5. The vulnerability arises from improper handling of the /user/profile endpoint within the Image Handler component. This flaw allows remote attackers with low privileges (no authentication required) to manipulate requests to this endpoint and gain unauthorized access to sensitive information. The vulnerability does not require user interaction and does not impact system integrity or availability, but it compromises confidentiality by exposing potentially sensitive user profile data or related information. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality (VC:L), with no impact on integrity or availability. The vendor was notified early but has not responded or released patches, and no known exploits have been observed in the wild yet. This leaves organizations using the affected versions exposed to potential information leakage attacks, which could be leveraged for further social engineering or targeted attacks. The vulnerability is particularly concerning for educational institutions that handle sensitive student and staff data, making confidentiality breaches a significant risk.

For European organizations, especially educational institutions using the yungifez Skuul School Management System, this vulnerability poses a risk of unauthorized disclosure of sensitive personal data such as student profiles, staff information, or other confidential records. Such data leakage can lead to privacy violations under GDPR, reputational damage, and potential legal consequences. Although the vulnerability does not allow system takeover or data modification, the exposure of sensitive information can facilitate phishing, identity theft, or targeted attacks against the institution. The medium severity rating reflects the moderate impact on confidentiality and the ease of remote exploitation without user interaction. Given the critical nature of educational data and the regulatory environment in Europe, even moderate information disclosure vulnerabilities warrant prompt attention. The lack of vendor response and patches increases the risk window, requiring organizations to implement compensating controls to protect data confidentiality.

1. Immediately restrict external network access to the /user/profile endpoint of the Skuul School Management System using firewalls or web application firewalls (WAFs) to limit exposure. 2. Implement strict access controls and authentication mechanisms around the Image Handler component to ensure only authorized users can access profile data. 3. Monitor logs and network traffic for unusual or suspicious requests targeting the /user/profile endpoint to detect potential exploitation attempts early. 4. Conduct internal audits of the data exposed via this endpoint to understand the sensitivity and scope of information at risk. 5. Engage with the vendor or community to obtain patches or updates as soon as they become available and apply them promptly. 6. Consider isolating or segmenting the affected system within the network to reduce the blast radius of any potential exploitation. 7. Educate staff about the risk of phishing or social engineering attacks that could leverage leaked information. 8. Review and enhance data protection policies to ensure compliance with GDPR and other relevant regulations in case of data leakage. 9. If possible, deploy application-layer intrusion detection or prevention systems to block malicious requests targeting this vulnerability.