Stavros Mekesis

**Name of the Vulnerable Software and Affected Versions** UniverSIS-Students versions prior to 1.5.0 **Description** The issue allows attackers to obtain sensitive information via a crafted GET request to the endpoint "/api/students/me/courses/". **Recommendations** For versions prior to 1.5.0, update to version 1.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/students/me/courses/" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** UniverSIS-API versions through 1.2.1 **Description** A SQL Injection issue exists, allowing a remote authenticated attacker to send crafted SQL statements to vulnerable API endpoints, such as `/api/students/me/messages/`, via the `select` parameter. This could potentially lead to the retrieval of personal information or modification of grades. **Recommendations** For UniverSIS-API versions through 1.2.1, consider restricting access to the vulnerable API endpoints, such as `/api/students/me/messages/`, until a fix is available. As a temporary workaround, avoid using the `select` parameter in affected API endpoints to minimize the risk of exploitation.