CVE-2025-50870

Name of the Vulnerable Software and Affected Versions Institute-of-Current-Students version 1.0

Description The software is susceptible to Incorrect Access Control. The mydetailsstudent.php endpoint allows unauthorized access to student details. The myds GET parameter accepts an email address as input and directly returns the corresponding student's personal information without proper identity or permission validation. This enables an attacker to enumerate and retrieve sensitive student details by manipulating the email value in the request URL, resulting in information disclosure.

Recommendations Ensure proper validation of user identity and permissions before accessing or disclosing student information through the mydetailsstudent.php endpoint. Restrict access to the myds GET parameter to authorized users only.