ZeroWdd Student Manager Improper Authorization Vulnerability in Teacher Controller

A critical vulnerability has been identified in ZeroWdd's Student Manager version 1.0. This issue resides in the TeacherController.java file, specifically within the '/getTeacherList' endpoint. The vulnerability arises from improper authorization, allowing students to access data they should not be able to. This flaw can be exploited remotely.

Impact

Exploitation of this vulnerability allows for unauthorized access to teacher data, potentially leading to privilege escalation by allowing students to act as administrators.

Reproduction

To reproduce this vulnerability, send a POST request to the '/teacher/getTeacherList' endpoint. Include a JSESSIONID cookie to simulate an active session. The request can be made using a web browser or a tool like Postman, ensuring to set the 'X-Requested-With' header to 'XMLHttpRequest'.