| Titolo | yungifez Skuul v2.6.5 Exposure of Sensitive Information Through Metadata |
|---|
| Descrizione | Skuul version 2.6.5 fails to sanitize or remove embedded EXIF metadata from uploaded images. When users upload profile photos the system stores and serves the original files without stripping metadata. This allows other users or administrators who can access or download these images to extract sensitive information, such as GPS location, device model, timestamps, and other personal data about the uploader.
Steps to Reproduce:
1. Login to Skuul http://127.0.0.1:8000/login as a (Student, Teacher, Parent, Admin or Super Admin)
2. Navigate to http://sk.htb:8000/user/profile
3. Upload the Image containing Meta Data such as (https://github.com/ianare/exif-samples/blob/master/jpg/gps/DSCN0010.jpg)
4. Save the downloaded image locally.
6. Open the image using any online EXIF viewer such as https://www.pic2map.com or https://exif.tools.
7. Observe that sensitive EXIF data (like GPS coordinates and device information) is still present.
Impact:
-) Disclosure of user’s location (via GPS metadata).
-) Leakage of personal or device information (e.g., phone model, camera details).
-) Violation of user privacy and institutional data protection policies.
-) Potential non-compliance with GDPR or similar privacy regulations.
Recommendation
-) Implement server-side EXIF stripping for all uploaded images.
-) Store and serve only sanitized image versions.
-) Apply EXIF sanitization across all modules (Profile, Assignments, Attachments, etc.).
-) Periodically review existing stored files to remove sensitive metadata.
Affected Version
-) Skuul v2.6.5
Product Source:
-) Website: https://yungifez.github.io/skuul.org/
-) GitHub Repository: https://github.com/yungifez/skuul
Credits
Zeeshan Khan
https://www.thezeeshankhan.site/ |
|---|
| Fonte | ⚠️ https://gist.github.com/thezeekhan/02f5255506080849fc732eea07008634 |
|---|
| Utente | Zeeshan Khan (UID 91384) |
|---|
| Sottomissione | 04/11/2025 18:00 (8 mesi fa) |
|---|
| Moderazione | 29/11/2025 13:59 (25 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 333789 [yungifez Skuul School Management System fino a 2.6.5 Image /user/profile rivelazione di informazioni] |
|---|
| Punti | 20 |
|---|