CVE-2026-3110 in Campus
Summary
by MITRE • 03/16/2026
Insecure Direct Object Reference (IDOR) vulnerability in Campus Educativa specifically at the endpoint '/administracion/admin_usuarios.cgi?filtro_estado=T&wAccion=listado_xlsx&wBuscar=&wFiltrar=&wOrden=alta_usuario&wid_cursoActual=[ID]' where the data of users enrolled in the course is exported. Successful exploitation of this vulnerability could allow an unauthenticated attacker to access user data (e.g., usernames, first and last names, email addresses, and phone numbers) and retrieve the data of all users enrolled in courses by performing a brute-force attack on the course ID via a manipulated URL.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/19/2026
The identified vulnerability represents a critical Insecure Direct Object Reference flaw within the Campus Educativa application that fundamentally compromises user data security through improper access control mechanisms. This vulnerability specifically manifests at the administrative endpoint '/administracion/admin_usuarios.cgi' which handles user data export functionality for course enrollment records. The flaw occurs when the application fails to properly validate or authenticate requests made to the endpoint, allowing unauthorized access to sensitive user information through manipulation of the wid_cursoActual parameter. The vulnerability's severity is amplified by the fact that no authentication is required for exploitation, making it particularly dangerous as it can be leveraged by any attacker without prior credentials or privileges. The attack vector involves brute-forcing course identifiers to gain access to user data from different courses, effectively bypassing the intended access controls that should restrict data access to authorized personnel only.
The technical implementation of this vulnerability stems from inadequate input validation and access control enforcement within the application's backend processing logic. When the application processes requests to the '/administracion/admin_usuarios.cgi' endpoint, it directly uses the wid_cursoActual parameter value without proper authorization checks to determine if the requesting entity has legitimate access to the specified course data. This creates a direct reference to objects that should be protected, allowing attackers to enumerate course IDs and subsequently access user data from courses they should not be authorized to view. The vulnerability is further exacerbated by the export functionality's design, which provides a mechanism to download user data in spreadsheet format, making it easier for attackers to harvest and process large volumes of sensitive information. The use of the 'listado_xlsx' action parameter specifically indicates that the application is designed to provide structured data export capabilities, but lacks proper access controls to prevent unauthorized data extraction. This type of vulnerability falls under CWE-284 which specifically addresses inadequate access control mechanisms, and aligns with ATT&CK technique T1213.002 for Data from Information Repositories, demonstrating how attackers can exploit weak access controls to gain unauthorized access to sensitive data repositories.
The operational impact of this vulnerability extends beyond simple data exposure, as it creates a comprehensive data breach scenario that can compromise multiple user accounts and their associated personal information. Attackers can systematically enumerate course identifiers and access user data from various courses, potentially exposing hundreds or thousands of user records including usernames, full names, email addresses, and phone numbers. This type of information exposure can facilitate further attacks such as credential stuffing, social engineering campaigns, or phishing attacks against the compromised user base. The lack of authentication requirements makes this vulnerability particularly dangerous as it can be exploited continuously without detection, potentially allowing attackers to harvest user data over extended periods. The vulnerability also represents a significant compliance risk, as the exposed data typically contains personally identifiable information that may violate privacy regulations such as GDPR, CCPA, or other applicable data protection laws. Organizations using this application face potential legal and financial consequences from data breaches resulting from this vulnerability, as the exposed data could be used for identity theft, fraud, or other malicious activities.
The recommended mitigations for this vulnerability must address both the immediate access control issues and implement comprehensive security measures to prevent similar flaws in the application architecture. The primary fix involves implementing robust authentication and authorization checks at the endpoint level, ensuring that all requests to the '/administracion/admin_usuarios.cgi' endpoint require proper authentication and that access to specific course data is validated against the requesting user's permissions. This includes implementing role-based access controls that verify whether the authenticated user has legitimate access to the course specified in the wid_cursoActual parameter. Additionally, the application should implement proper input validation to prevent parameter manipulation and include rate limiting or anti-brute force mechanisms to prevent systematic course enumeration. The solution should also incorporate proper logging and monitoring of access attempts to detect and alert on suspicious activities. Organizations should also consider implementing a principle of least privilege model where users can only access data relevant to their specific roles or courses. This vulnerability demonstrates the importance of implementing comprehensive access control mechanisms as outlined in security frameworks such as NIST SP 800-53 and ISO 27001, which emphasize the need for proper access control and authentication mechanisms to protect sensitive information assets. The fix should also include input sanitization and parameter validation to prevent injection attacks that could be combined with this vulnerability to further escalate privileges or access additional system resources.