PlaciPy Missing Object-Level Authorization Vulnerability in Assessment Results Endpoint

A vulnerability exists in PlaciPy version 1.0.0, specifically in the assessment results endpoint, where the application verifies user authentication but fails to enforce object-level authorization. This oversight allows students to access results of other students, potentially leading to unauthorized exposure of confidential academic data, including scores, rankings, and submissions. The lack of proper authorization checks also raises privacy concerns under regulations such as FERPA and GDPR, and could facilitate cheating by providing access to peer performance data and answers.

Impact

Exploitation of this vulnerability allows for unauthorized access to assessment results, enabling students to view the results of their peers. This not only exposes confidential academic data but also violates privacy regulations and could be used to facilitate cheating.

Remediation

To address this vulnerability, it is recommended to implement role-based access controls, ensuring that students can only access their own results. Additionally, field-level filtering should be applied to hide answers and peer data, and access logging should be introduced for result retrieval.