CVE-2023-38884

Published: Nov 20, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>'

Affected (1)

Products: Os4ed: Opensis

Os4ed

1 product

Opensis

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Os4ed Opensis	Version 9.0

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (6)

https://github.com/OS4ED/openSIS-Classic

Source: cve@mitre.org

Release Notes

https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38884

Source: cve@mitre.org

Vendor Advisory

https://www.os4ed.com/

Source: cve@mitre.org

Product

https://github.com/OS4ED/openSIS-Classic

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38884

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.os4ed.com/

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.