CVE-2024-12305

An object-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows unauthorized access to student grades. A malicious student user can view grades of other students by manipulating the student_id parameter in the marks viewing endpoint. The vulnerability exists due to insufficient access control checks in MarkController.php. At the time of publication of the CVE no patch is available.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c

Configurations

No configuration.

History

09 Dec 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-09 09:15

Updated : 2024-12-09 09:15

NVD link : CVE-2024-12305

Mitre link : CVE-2024-12305

CVE.ORG link : CVE-2024-12305

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

4.3 /10