PT-2023-26664 · Unknown · Opensis Classic

Florian Walter

Publicado

2023-11-20

Atualizado

2023-11-30

CVE-2023-38884

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions openSIS Classic version 9.0

Description The issue allows an unauthenticated remote attacker to access any student's files. This is achieved by visiting the "/assets/studentfiles/-" API endpoint, where studentId and filename are variables that can be manipulated to access different files.

Recommendations For openSIS Classic version 9.0, restrict access to the "/assets/studentfiles/-" API endpoint to prevent unauthorized file access. Consider implementing proper authentication and authorization mechanisms to ensure that only authorized users can access student files.

Exploit

Correção

IDOR

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-639

Identificadores relacionados

CVE-2023-38884

Produtos afetados

Opensis Classic

PT-2023-26664 · Unknown · Opensis Classic

CVE-2023-38884

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5