提交 #849496: mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be Authorization Bypass Through User-Controlled SQL Primary Key信息

标题mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be Authorization Bypass Through User-Controlled SQL Primary Key
描述The affected components are note and assignment object endpoints under `application/PHP/objects/notes/`, including `update_assignment_answer.php`, `retrieve_assignment_answer_to_update.php`, `update_scratch_data.php`, `retrieve_scratch_data_to_update.php`, and `delete_scratch_data.php`. These endpoints accept object identifiers from POST data and call controller methods that read, update, or delete records by primary key without checking authentication or ownership: ```php $assignment_item_id = $_POST["assignment_item_id"]; $answer = $_POST["answer"]; $execute_function->update_assignment_answer($answer, $assignment_item_id); ``` ```php $insert_answer_statement = $this->db_holder->prepare("UPDATE assignment_items SET answer = ? WHERE item_id = ?"); $insert_answer_statement->execute(array($answer, $assignment_item_id)); ``` ```php $new_scratch_data = $_POST["new_scratch_data"]; $scratch_data_id = $_POST["scratch_data_id"]; $execute_function->update_scratch_data($new_scratch_data, $scratch_data_id); ``` ```php $update_statement = $this->db_holder->prepare("UPDATE scratch_data SET scratch_data = ? WHERE scratch_data_id = ?;"); $update_statement->execute(array($new_scratch_data, $scratch_data_id)); ``` An unauthenticated attacker can modify or read other users' assignment answers and scratch notes by guessing numeric IDs. This causes unauthorized data disclosure and tampering.
来源⚠️ https://github.com/mjperpinosa/stumasy/issues/9
用户
 gscsd (UID 97914)
提交2026-06-05 16時53分 (29 日前)
管理2026-07-04 17時50分 (29 days later)
状态已接受
VulDB条目376342 [mjperpinosa stumasy 直到 327d1b0f2915ba79d7ef8ebb74553e987609d9be Note Handler/Assignment /PHP/objects/notes assignment_item_id 权限提升]
积分20

Do you know our Splunk app?

Download it now for free!