Access Control Flaw in Unifiedtransform Affects Student Privacy
CVE-2024-12305

4.3MEDIUM

Key Information:

Vendor: Unifiedtransform
Status: Unifiedtransform
Vendor: CVE Published:; 9 December 2024

🔔 Create Unifiedtransform Vulnerability Alert

Badges

👾 Exploit Exists

What is CVE-2024-12305?

CVE-2024-12305 is a high-severity access control vulnerability found in Unifiedtransform versions 2.0 and potentially earlier. This flaw allows an attacker, specifically a malicious student, to gain unauthorized visibility into the grades of other students. By manipulating the 'student_id' parameter at the marks viewing endpoint, the attacker can bypass core access control mechanisms due to inadequate protections implemented in MarkController.php. This vulnerability poses significant risks to student privacy and data security. Currently, there are no patches available to mitigate this issue.

Affected Version(s)

Unifiedtransform 2.0

References

https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4...

exploit

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 9, 2024
👾
Exploit known to exist
Dec 9, 2024
Vulnerability published
Dec 9, 2024
Vulnerability Reserved
Dec 6, 2024

Credit

ZHAW Information Security Research Group