SpeedExam Online Examination System Broken Access Control Vulnerability Allowing Answer Key Extraction

A broken access control vulnerability has been identified in SpeedExam Online Examination System (SaaS) versions after v.FEV2026. This vulnerability allows authenticated attackers to bypass client-side restrictions and directly invoke the 'ReviewAnswerDetails' ASP.NET PageMethod to access the full answer key. The issue arises from the exposure of administrative functions through ASP.NET AJAX PageMethods, which can be called without proper server-side validation of the user's exam status.

Impact

Exploitation of this vulnerability allows for the unauthorized extraction of answer keys from the examination system, enabling candidates to access correct answers without completing the exam.

Reproduction

The vulnerability can be reproduced by an authenticated user who accesses the SpeedExam platform. Once logged in, the user can open the browser's developer console and manually call the 'ReviewAnswerDetails' function via the exposed 'PageMethods' object. This function can be invoked with any question ID obtained from the 'ExamQuestionAnswerDetails' method, which does not require authentication or exam completion verification.