| Title | sayan365 student-management-system 1.0 Unauthenticated Access |
|---|
| Description | The `delete_subject.php` script performs a destructive operation (deletion of a subject from the database) but contains **no authentication or authorisation checks**. It does not call `session_start()` or verify any session variables. The file simply includes the database connection and then deletes a subject based on the `id` parameter supplied via the URL:
```php
include 'db.php';
if (isset($_GET['id'])) {
$sql = "DELETE FROM subjects WHERE id = $id";
``` |
|---|
| Source | ⚠️ https://github.com/sayan365/student-management-system/issues/6 |
|---|
| User | FuB0Y (UID 98142) |
|---|
| Submission | 05/14/2026 09:51 (2 months ago) |
|---|
| Moderation | 06/02/2026 15:54 (19 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 367927 [sayan365 student-management-system up to 7f3c9ce7d410332335c2affac93a385485051800 improper authentication] |
|---|
| Points | 0 |
|---|