Sambitraj Student Management System Dashboard Access Control Vulnerability

A broken access control vulnerability has been identified in Sambitraj Student Management System versions prior to commit 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5. The issue resides in the Dashboard component, where an unknown function fails to implement proper access controls. This vulnerability allows unauthenticated users to access all backend dashboards and administrative actions remotely. The application, which is continuously updated, does not have specific version details for affected or patched releases. Multiple endpoints are impacted, including various administrative and dashboard management files.

Impact

Exploitation of this vulnerability allows unauthenticated users to access administrative dashboards and perform data manipulation actions, such as adding or deleting records, without any authentication.

Reproduction

To reproduce this vulnerability, access any of the administrative dashboard URLs (e.g., admin_dashboard.php) without a valid user session. The server will respond with the full dashboard, including sensitive data and management links. This vulnerability can also be exploited by directly calling action scripts like add_student.php or delete_student.php to manipulate records without authentication.