| Title | ProjectsAndPrograms school-management-system before commit 6b6fae5 Broken Access Control |
|---|
| Description | Broken Access Control (Unauthenticated Arbitrary Data Deletion/Manipulation): A critical Broken Access Control vulnerability exists across the entire API architecture within the assets/ directory of the School Management System. All operational endpoints (such as removeStudent.php, addStudent.php, editStudent.php, and deleteFeedbackWithId.php) completely lack any authentication checks or session validation mechanisms.
These scripts merely include the database connection file (config.php) and immediately execute sensitive database operations based on user-supplied POST parameters, without ever invoking session_start() or verifying the requester's role (Admin/Owner). Consequently, any unauthenticated, remote attacker can directly access these endpoints to manipulate, modify, or destroy critical database records.
This is a critical severity vulnerability. The complete absence of access controls allows for:
- Database Pollution: Attackers can inject a massive volume of fake records, severely degrading the system's performance and data integrity.
- Malicious Payload Injection: Attackers can use fields like fname or lname to inject Stored Cross-Site Scripting (XSS) payloads, compromising the administrative panel when authorized users log in to view the student list.
- Arbitrary Data Deletion/Modification: Using other endpoints in the same directory (e.g., removeStudent.php), attackers can completely wipe out legitimate institutional data. |
|---|
| Source | ⚠️ https://tcn60zf28jhk.feishu.cn/wiki/EAp9wBELdiuATnkJh1pc74Xbnpe?from=from_copylink |
|---|
| User | EthX0_ (UID 96627) |
|---|
| Submission | 03/28/2026 09:52 (26 days ago) |
|---|
| Moderation | 04/19/2026 12:53 (22 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 328078 [ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59 missing authentication] |
|---|
| Points | 0 |
|---|