CVE-2026-10168
Description
An IDOR vulnerability in the School Student Management System allows a logged-in parent to view other students' marks and class routines by manipulating the student ID parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An IDOR vulnerability in the School Student Management System allows a logged-in parent to view other students' marks and class routines by manipulating the student ID parameter.
Vulnerability
The vulnerability resides in the marks function of application/controllers/Parents.php. The function accepts a student ID via the URL parameter $param1 and passes it directly to the view without verifying that the student belongs to the currently logged-in parent. The views marks.php and class_routine.php then use this ID to fetch and display the student's marks or class routine without any ownership check. Affected versions include all builds up to commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6; the project uses rolling releases, so no specific version numbers are available [1].
Exploitation
An attacker must first authenticate as a parent (e.g., using credentials p_zakir@gmail.com / 123). With a valid session cookie, they can send a GET request to /index.php?parents/marks/1 (or any arbitrary student ID) to retrieve the marks of a student not associated with their account. The same technique works for the class routine page (parents/class_routine/1). No additional privileges or user interaction beyond authentication are required [1].
Impact
Successful exploitation allows a parent to view sensitive academic information—marks and class routines—of any student in the system, leading to unauthorized disclosure of confidential data. The attacker gains no write access or privilege escalation, but the confidentiality of all students' academic records is compromised [1].
Mitigation
The project uses continuous delivery with rolling releases and has not responded to the issue report. No fixed version has been released as of the publication date. The vendor has not provided a patch or workaround. Until a fix is available, administrators should consider restricting access to the affected endpoints or implementing an ownership check in the controller to verify that the requested student ID belongs to the logged-in parent [1].
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1e70e5ad1125b86dca4ee086eb6bb121f17708b6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in the `marks` method — the student ID from the URL is used directly without verifying that the student belongs to the currently logged-in parent."
Attack vector
An authenticated parent can change the `student_id` parameter in the URL (e.g., `/index.php?parents/marks/1`) to access another student's marks or class routine. The `marks` method in `Parents.php` accepts the student ID from the URL via `$param1` and passes it to the view without any ownership check — it never compares the student's `parent_id` against the logged-in parent's session ID [ref_id=1]. Because student IDs are sequential integers, an attacker can easily enumerate them to extract academic records for all students in the system.
Affected code
The vulnerability resides in `application/controllers/Parents.php` (lines 53–70), specifically the `marks` method which accepts a student ID via `$param1` from the URL and passes it directly to the view without verifying ownership. The corresponding views `application/views/backend/parent/marks.php` and `application/views/backend/parent/class_routine.php` then use this unsanitized student ID to fetch and display sensitive data [ref_id=1].
What the fix does
No patch has been published by the vendor; the project was notified via an issue report but has not responded [ref_id=1]. The advisory recommends adding an ownership check in the `marks` method that compares the student's `parent_id` field against the currently logged-in parent's session ID before rendering data. A similar check should be applied to the `class_routine` method and the corresponding views to prevent unauthorized access [ref_id=1].
Preconditions
- authAttacker must have valid parent login credentials (e.g., p_zakir@gmail.com / 123)
- networkAttacker must have network access to the application
- configThe application must be running a version up to commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6
Reproduction
1. Log in as a parent (credentials: p_zakir@gmail.com / 123) to obtain a valid session cookie. 2. Send a GET request to `/index.php?parents/marks/1` with the session cookie. 3. Observe that the response (16578 bytes) contains the marks and name of student_id=1 (student "Riham"), who does not belong to the logged-in parent. 4. Repeat with different student IDs to enumerate all students' records [ref_id=1].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.