ГлавнаяУязвимости → CVE-2025-50870
9.8критическая

CVE-2025-50870

Описание

Institute-of-Current-Students 1.0 is vulnerable to Incorrect Access Control in the mydetailsstudent.php endpoint. The myds GET parameter accepts an email address as input and directly returns the corresponding student's personal information without validating the identity or permissions of the requesting user. This allows any authenticated or unauthenticated attacker to enumerate and retrieve sensitive student details by altering the email value in the request URL, leading to information disclosure.

CVSS
Балл9.8 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://cwe.mitre.org/data/definitions/284.htmlhttps://gist.github.com/b0mk35h/c4d47b5c4aacecdc8e6c4b02b40ce302