CVE-2026-11475

An attacker can remotely send a POST request to the Certificate Verification Endpoint with a manipulated 'nic' argument. This argument is passed to the getStatus method, which then directly embeds it into an SQL query. By injecting a boolean-based payload, such as '0 OR 1=1 --', an attacker can alter the query's logic. This allows them to bypass the intended verification and obtain the session ID of another user, leading to unauthorized access.

The vulnerability resides in the getStatus function within the file controllers/GradeController.php and the subsequent use in config/User.php. Specifically, the line `$res = $this->db->query("... WHERE student.NIC={$index} OR student.student_id='{$index}' OR registrations.cetificate_no='{$index}'");` in config/User.php directly embeds the user-supplied `$index` (derived from the 'nic' POST parameter) into the SQL query without any form of sanitization or parameterization.

The advisory indicates that the project was informed of the vulnerability but has not responded, and no patch is available. Remediation guidance would typically involve parameterizing SQL queries or properly escaping user input before embedding it in database queries to prevent SQL injection.

Without a valid certificate number, send a POST request to GradeController.php with a malicious nic payload. Observe the server responds with a 302 Found redirect to mycourse.view.php. Follow the redirect with the same session cookie. The page displays another student’s personal details, email, NIC, and course information, confirming unauthorised access.