Ralph El Khoury

**Name of the Vulnerable Software and Affected Versions** Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR version 1.0.118 **Description** The issue concerns incorrect access control in the `/rest/staffResource/create` component, allowing the creation and modification of user accounts, including an Administrator account. This could potentially lead to unauthorized access and privilege escalation. **Recommendations** For version 1.0.118, consider disabling access to the `/rest/staffResource/create` component until a patch is available to prevent unauthorized account creation and modification. Restricting access to this component can help minimize the risk of exploitation. Additionally, monitor user account activity closely for any signs of unauthorized access or modifications.

**Name of the Vulnerable Software and Affected Versions** Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR version 1.0.118 **Description** A stored cross-site scripting issue allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the `User ID` parameter at the "/rest/staffResource/update" API endpoint. **Recommendations** For version 1.0.118, avoid using the `User ID` parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "/rest/staffResource/update" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR version 1.0.118 **Description** The issue is related to incorrect access control in the component "/rest/staffResource/update" of the affected software, allowing unauthorized creation and modification of user accounts, including an Administrator account. **Recommendations** For version 1.0.118, as a temporary workaround, consider restricting access to the "/rest/staffResource/update" API endpoint until a patch is available. Additionally, limit the ability to create and modify user accounts to authorized personnel only.

**Name of the Vulnerable Software and Affected Versions** Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR version 1.0.118 **Description** The issue is related to an Insecure Direct Object References (IDOR) in the component "/getStudemtAllDetailsById?studentId=XX". This allows attackers to access sensitive user information via a crafted API request. **Recommendations** For version 1.0.118, as a temporary workaround, consider restricting access to the "/getStudemtAllDetailsById?studentId=XX" API endpoint until a patch is available. Avoid using the `studentId` variable in the affected API endpoint until the issue is resolved.