Institute-of-Current-Students Access Control Vulnerability in mydetailsstudent.php Endpoint
Vulnerability
A broken access control vulnerability has been identified in the Institute-of-Current-Students application, version 1.0. The issue resides in the mydetailsstudent.php endpoint, where the myds GET parameter can be manipulated to access sensitive personal information of students. This vulnerability exists because the application fails to validate the identity or permissions of users before disclosing personal data, allowing both authenticated and unauthenticated individuals to retrieve information by simply changing the email address in the request.
Impact
Exploitation of this vulnerability allows unauthorized users to access personal information of students, leading to privacy violations and potential identity theft. This behavior could also result in non-compliance with data protection regulations.
Reproduction
To reproduce this vulnerability, send a request to the mydetailsstudent.php endpoint with the myds GET parameter set to the email address of a student. The application will respond with that student's personal information, without any checks on the requester's identity or authorization.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.