Unifiedtransform Access Control Vulnerability Allowing Unauthorized Modification of Exam Rules

A vulnerability in Unifiedtransform version 2.0 allows students to improperly change exam rules due to incorrect access control. The issue arises in the endpoint '/exams/edit-rule?exam_rule_id=1', where students can alter rules that should only be editable by administrators. This flaw could lead to significant business logic errors by allowing students to manipulate exam parameters, such as passing marks, thereby undermining the integrity of the examination process.

Impact

Exploitation of this vulnerability could result in unauthorized changes to exam rules, creating severe business logic errors and compromising the integrity of the exam system.

Reproduction

To reproduce this vulnerability, log into the application as a student. Navigate to the '/exams/edit-rule?exam_rule_id=1' endpoint and modify the 'exam_rule_id' parameter to target different exam rules. After changing the rules, save the changes. This process exploits the broken access control by allowing students to edit exam rules, a privilege reserved for administrators.