Pronay Biswas

**Name of the Vulnerable Software and Affected Versions** Institute-of-Current-Students version 1.0 **Description** The software is susceptible to Incorrect Access Control. The `mydetailsstudent.php` endpoint allows unauthorized access to student details. The `myds` GET parameter accepts an email address as input and directly returns the corresponding student's personal information without proper identity or permission validation. This enables an attacker to enumerate and retrieve sensitive student details by manipulating the email value in the request URL, resulting in information disclosure. **Recommendations** Ensure proper validation of user identity and permissions before accessing or disclosing student information through the `mydetailsstudent.php` endpoint. Restrict access to the `myds` GET parameter to authorized users only.