| 제목 | SourceCodester Online Examination & Learning Management System 1.0 Missing Authorization |
|---|
| 설명 | The ajax_enroll.php endpoint processes enrollment and unenrollment requests from any authenticated user without verifying the user's role or their relationship to the target student_id. The endpoint reads $_POST['student_id'], $_POST['schedule_id'], and $_POST['action'] directly from the request body and performs the corresponding database operation with no authorization logic.
No CSRF token is implemented, enabling cross-site request forgery. |
|---|
| 원천 | ⚠️ https://github.com/nuiifornet/A033/blob/main/OE-LMS-IDOR-ajax_enroll.md |
|---|
| 사용자 | Fklov (UID 98102) |
|---|
| 제출 | 2026. 06. 06. PM 08:59 (29 날 ago) |
|---|
| 모더레이션 | 2026. 07. 05. AM 06:08 (28 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 376368 [SourceCodester Onlne Examination & Learning Management System 1.0 Enrollment Management /ajax_enroll.php student_id/schedule_id/action 권한 상승] |
|---|
| 포인트들 | 20 |
|---|