CVE-2022-30760

Name of the Vulnerable Software and Affected Versions ihb eG FlexNow versions prior to 2.04.09.016

Description The issue is an Insecure Direct Object Reference (IDOR) that allows remote authenticated attackers to obtain sensitive student information, including final grades, study courses, and degrees. This is achieved by changing the student ID parameter in the HTTP POST request to the "FrontControllerSS" endpoint.

Recommendations For versions prior to 2.04.09.016, update to version 2.04.09.016 or later to resolve the issue. As a temporary workaround, consider restricting access to the "FrontControllerSS" endpoint or limiting the ability to modify the student ID parameter to prevent unauthorized access to sensitive student information.