Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Pronote Prior to 2025.2.8 Allows Access to User Profile Pictures
CVE-2025-69727
Summary
A security issue in Pronote allows anyone to access user profile pictures by guessing or knowing a user's ID or name. This can happen because the system doesn't check if the user is allowed to see the picture or limit how often requests are made. To fix this, update to version 2025.2.8 or later.
Original title
An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URL...
Original description
An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images based solely on predictable identifiers such as user IDs and names. Due to missing authorization checks and lack of rate-limiting when generating or accessing these URLs, an unauthenticated or unauthorized actor may retrieve profile pictures of users by crafting requests with guessed or known identifiers.
Vulnerability type
CWE-284
Improper Access Control
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 16 Mar 2026 · Updated: 16 Mar 2026 · First seen: 16 Mar 2026