Improper Access Control on view student list in 4jean/lav_sms

Valid

Reported on

Apr 17th 2022

Description

lav_sms system provide a feature for teachers to view any student in the systems. The problem is when student also can view the student's list. They also can download the list in pdf or excel.

Proof of Concept

1. GET http://lav_sms.test/students/list/{id}

Step to reproduce

1. Login as student
2. navigate to /students/list/{id}

Impact

Student could gather the information about other student such as email, photo and adm_no

Occurrences

We are processing your report and will contact the 4jean/lav_sms team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
Chinedu Okemiri
a year ago

Maintainer

Thanks for your report. Would fix this issue promptly

Jamie Slome
a year ago

Admin

@4jean - are you able to resolve the report (valid and fixed)?

We have contacted a member of the 4jean/lav_sms team and are waiting to hear back a year ago
Chinedu Okemiri validated this vulnerability a year ago
nightfury99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chinedu Okemiri marked this as fixed in 1 with commit 6c6d13 a year ago
Chinedu Okemiri has been awarded the fix bounty
This vulnerability will not receive a CVE
web.php#L30 has been validated
to join this conversation