Improper Access Control on view student list in 4jean/lav_sms

Valid

Reported on

Apr 17th 2022


Description

lav_sms system provide a feature for teachers to view any student in the systems. The problem is when student also can view the student's list. They also can download the list in pdf or excel.

Proof of Concept

1. GET http://lav_sms.test/students/list/{id}

Step to reproduce

1. Login as student
2. navigate to /students/list/{id}

Impact

Student could gather the information about other student such as email, photo and adm_no

Occurrences

We are processing your report and will contact the 4jean/lav_sms team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
Chinedu Okemiri
a month ago

Maintainer


Thanks for your report. Would fix this issue promptly

Jamie Slome
a month ago

Admin


@4jean - are you able to resolve the report (valid and fixed)?

We have contacted a member of the 4jean/lav_sms team and are waiting to hear back a month ago
Chinedu Okemiri validated this vulnerability a month ago
nightfury99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chinedu Okemiri confirmed that a fix has been merged on 6c6d13 a month ago
Chinedu Okemiri has been awarded the fix bounty
web.php#L30 has been validated
to join this conversation