Access Control Flaws in Unifiedtransform Impacting Educational Data Security
CVE-2024-12306

4.3MEDIUM

Key Information:

Vendor: Unifiedtransform
Status: Unifiedtransform
Vendor: CVE Published:; 9 December 2024

Badges

👾 Exploit Exists

Summary

CVE-2024-12306 identifies critical access control vulnerabilities present in Unifiedtransform version 2.0 and potentially in earlier iterations. These vulnerabilities enable unauthorized access to sensitive personal information of students and teachers, manifesting in two primary methods: loopholes in function-level access control on list viewing endpoints and object-level access control weaknesses on profile viewing endpoints. This could lead to malicious actors, such as students, obtaining personal data from other users. As of the latest update, no patch has been released to remediate these vulnerabilities, highlighting an urgent need for organizations using Unifiedtransform to implement immediate security measures and monitor for potential exploits.

Affected Version(s)

Unifiedtransform 2.0

References

https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4...

exploit

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 9, 2024
👾
Exploit known to exist
Dec 9, 2024
Vulnerability published
Dec 9, 2024
Vulnerability Reserved
Dec 6, 2024

Credit

ZHAW Information Security Research Group