CVE-2024-12305
📋 TL;DR
An object-level access control vulnerability in Unifiedtransform allows unauthorized students to view other students' grades by manipulating the student_id parameter. This affects Unifiedtransform version 2.0 and potentially earlier versions where student users can access the marks viewing endpoint.
💻 Affected Systems
- Unifiedtransform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass grade data exfiltration leading to privacy violations, academic integrity breaches, and potential regulatory compliance issues.
Likely Case
Individual students viewing other students' grades, causing privacy violations and potential academic misconduct.
If Mitigated
No unauthorized access to grade data with proper access controls implemented.
🎯 Exploit Status
Exploitation requires authenticated student access and parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c
Restart Required: No
Instructions:
No official patch available. Monitor vendor channels for updates.
🔧 Temporary Workarounds
Implement server-side access control
allAdd proper authorization checks in MarkController.php to verify the requesting student can only access their own grades.
Disable marks viewing endpoint
allTemporarily disable the vulnerable endpoint until a proper fix is available.
🧯 If You Can't Patch
- Implement network segmentation to restrict student access to only necessary systems
- Enable detailed logging of all grade access attempts and monitor for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Test with two student accounts: attempt to access another student's grades by modifying the student_id parameter in marks viewing requests.Check Version:
Check Unifiedtransform version in admin panel or configuration files.Verify Fix Applied:
Verify that student users can only access their own grade data regardless of parameter manipulation.📡 Detection & Monitoring
Log Indicators:
- Multiple grade access requests with different student_id values from same user session
- Rapid sequential access to different student records
Network Indicators:
- Unusual patterns of requests to marks endpoint with varying student_id parameters
SIEM Query:
source="web_logs" AND uri="/marks/*" AND status=200 | stats count by src_ip, student_id