Summary CVE ID: CVE-2025-70147 Product: Online Time Table Generator 1.0 Vendor: ProjectWorlds Vulnerability: Missing Authentication + Sensitive Information Disclosure Attack Vector: Remote, Unauthenticated CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE: CWE-306, CWE-862 Discoverer: MinhKhoa Date: 2025-12-22 Description The ProjectWorlds Online Time Table Generator 1.0 contains an Incorrect Access Control / Missing Authentication vulnerability affecting administrative pages. The endpoints and can be accessed without a valid admin session, and they render an HTML table that includes the column for student/teacher accounts. In the default database dump shipped with the project, passwords are stored in plaintext, so this disclosure can lead to immediate account compromise. Steps to Reproduce (PoC) Impact Sensitive information disclosure: plaintext credentials (students/teachers), plus other PII displayed in these tables. Account takeover: leaked plaintext passwords can be reused to access accounts (and possibly other reused-password services). Recommendation / Fix Enforce authentication and authorization for all admin pages Never render password fields Remove the column from any output. Store passwords using a one-way password hash (e.g., PHP / ). Optional hardening Add rate limiting and logging for admin endpoints. Consider adding CSRF protections for state-changing admin actions.