YXJ2018 SpringBoot-Vue-OnlineExam Unverified Password Change Vulnerability

A vulnerability allowing unverified password changes has been identified in YXJ2018 SpringBoot-Vue-OnlineExam version 1.0. The issue arises in the file '/api/studentPWD', where the 'studentId' argument can be manipulated to change passwords without proper verification. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to unauthorized access to user accounts. Additionally, if an administrator's password is changed, it could result in significant information leakage and security issues.

Reproduction

To reproduce this vulnerability, log into an account to obtain the account ID. Once logged in, access the password modification interface. Capture the data packet sent during the password change process, which will include the account ID. Replace the ID in the packet with that of another user and send the modified packet. The password change will be processed without verification. Afterward, log in with the new password to complete the reproduction of the vulnerability.