Primary

Context

Zhuimengshaonian Wisdom-Education Authorization Bypass Vulnerability in WrongBookController

Vulnerability

An authorization bypass vulnerability has been identified in Zhuimengshaonian Wisdom-Education versions through 1.0.4. The issue resides in the WrongBookController, specifically within the WrongBook interface. The vulnerability allows attackers to access information belonging to other users by manipulating the subjectId parameter. This exploitation can be performed remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows for horizontal privilege escalation, enabling unauthorized access to other users' information.

Reproduction

To reproduce this vulnerability, send a GET request to the /student/wrongBook endpoint. Include the subjectId parameter with a value that corresponds to another user's data. The request must also include a valid authorization token.

Added: Oct 6, 2025, 5:16 AM

Updated: Oct 6, 2025, 5:16 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zhuimengshaonian Wisdom-Education Authorization Bypass Vulnerability in WrongBookController

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating