| tiêu đề | yungifez Skuul v2.6.5 Improper Access Controls |
|---|
| Mô tả | The View Fee Invoice feature in Skuul v2.6.5 is vulnerable to an Insecure Direct Object Reference (IDOR). Authenticated student users can manipulate the invoice ID parameter in the URL to access other students’ invoices without authorization. This results in unauthorized disclosure of personal and financial information.
Steps to Reproduce
1. Naviagte to: http://127.0.0.1:8000/login and Log in as a student the given credentials are: Email: [email protected] | Password: password
2. Navigate to Fees and click on View Fee Invoice.
3. Click on Action and click View, and observe the URL in the browser’s address bar: http://127.0.0.1:8000/dashboard/fees/fee-invoices/46
4. Modify the invoice ID in the URL (e.g., change 46 to 45): http://127.0.0.1:8000/dashboard/fees/fee-invoices/45
5. The application displays the invoice of Student XYZ even Student ABC can print Student XYZ invoice.
Impact
-) Unauthorized access to other students’ invoices.
-) Exposure of personal and financial data.
-) Privacy and data protection violation.
Recommendation
-) Enforce ownership checks before displaying invoices.
-) Implement proper role-based access control (RBAC).
-) Use non-predictable invoice IDs (e.g., UUIDs).
Affected Version
-) Skuul v2.6.5
Product Source:
-) Website: https://yungifez.github.io/skuul.org/
-) GitHub Repository: https://github.com/yungifez/skuul
Credits
Zeeshan Khan
https://www.thezeeshankhan.site/ |
|---|
| Nguồn | ⚠️ https://gist.github.com/thezeekhan/fbfa9a7dbc0b0b81fd868ee166839041 |
|---|
| Người dùng | Zeeshan Khan (UID 91384) |
|---|
| Đệ trình | 22/10/2025 20:31 (cách đây 9 các tháng) |
|---|
| Kiểm duyệt | 08/11/2025 17:46 (17 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 331636 [yungifez Skuul School Management System đến 2.6.5 View Fee Invoice fee-invoices invoice_id nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|