| Titolo | https://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL Version: 1.0 Improper Access Controls |
|---|
| Descrizione | An Improper Access Control vulnerability exists in the CET AI
Predictive Grading System. The student self-registration endpoint
in index.php (lines 99-126) allows any unauthenticated user to
create a student account without admin approval, email verification,
or validation that the supplied Student ID Number matches an existing
registered student record. An attacker can register with a completely
fabricated Student ID Number and gain authenticated access to the
system as a student role. No rate limiting or CAPTCHA is implemented
on the registration endpoint, allowing mass account creation.
Vulnerable Code (index.php lines 109-114):
$stmt = $pdo->prepare("INSERT INTO students
(name, student_id_number, year_level, section)
VALUES (?, ?, ?, ?)");
$stmt->execute([$name, $student_id_number, $year_level, $section]);
Fix:
Validate the supplied Student ID Number against a pre-approved
list before allowing registration, and require admin approval
before activating the account.
Steps to Reproduce:
1. Navigate to registration page
http://[host]/PersonalAGS/index.php?action=register
2. Fill in any name and a fabricated Student ID (e.g. STU-9999-999)
3. Enter a chosen username and password
4. Submit the form — account is created immediately
5. Log in using the new credentials
6. Access is granted as a student role with no verification
Impact:
- Unauthorized access to student grade records
- Mass account creation and database flooding
- Bypass of institutional enrollment verification
Auth Required: No
User Interaction: None
CWE: CWE-284
CVSS: 7.5 (High) |
|---|
| Fonte | ⚠️ https://cwe.mitre.org/data/definitions/284.html |
|---|
| Utente | Abhay mp (UID 98542) |
|---|
| Sottomissione | 26/05/2026 19:33 (23 giorni fa) |
|---|
| Moderazione | 17/06/2026 15:50 (22 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 371976 [SourceCodester CET Automated Grading System with AI Predictive Analytics Student Self-Registration Endpoint /index.php escalationi di privilegi] |
|---|
| Punti | 20 |
|---|