CVE-2026-11476
Description
Improper authorization in Kushan2k student-management-system allows unauthenticated users to update admin profiles, potentially leading to account takeover or lockout.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper authorization in Kushan2k student-management-system allows unauthenticated users to update admin profiles, potentially leading to account takeover or lockout.
Vulnerability
A vulnerability exists in the edit-admin function within controllers/AdminController.php of the Kushan2k student-management-system up to commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. The endpoint lacks a session check for administrator privileges, allowing any unauthenticated visitor to trigger the profile update logic. The affected component is the Profile Update Endpoint.
Exploitation
An attacker can exploit this vulnerability by sending an unauthenticated POST request to the AdminController.php with the edit-admin action. The attacker needs network access to the target system and can manipulate the isadmin argument, or other parameters like id or email, to target specific administrator accounts. The vulnerability is present in the edit-admin action, and the underlying database operations in config/User.php use SQL concatenation, making it susceptible to SQL injection.
Impact
Successful exploitation allows an attacker to modify any administrator's email address, which can lead to account takeover via password reset mechanisms, or change an administrator's password, effectively locking them out. The SQL injection vulnerability also presents a risk of reading or modifying other sensitive data within the database, depending on the attacker's skill and the database schema.
Mitigation
This product follows a rolling release approach, and specific version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report [1] but has not yet responded with a patch or fix. As of the available references, no fixed version or workaround has been disclosed.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=f16a4ceaddd6729c4b306ed4641cda3176c1ef2a
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The edit-admin endpoint lacks authentication checks and directly concatenates user input into SQL queries."
Attack vector
An unauthenticated attacker can send a POST request to the edit-admin action in AdminController.php. This request can include manipulated values for the `id` or `email` parameters. The server will process these requests without verifying if the user is logged in, potentially leading to unauthorized modifications of administrator data or SQL injection [ref_id=1].
Affected code
The vulnerability resides in the `edit-admin` action within `controllers/AdminController.php` (lines 48–84). Specifically, the lack of an admin session check is noted. The underlying database operations in `config/User.php` (lines 54–63, 65–94) are also implicated due to direct SQL concatenation with user-supplied parameters [ref_id=1].
What the fix does
The advisory indicates that the project was informed of the vulnerability but has not responded, and no patch has been provided. Therefore, no fix explanation can be given. Users are advised to await a response from the project maintainers for remediation guidance.
Preconditions
- authNo administrator session is required.
- networkThe attacker can reach the target server over the network.
Reproduction
Without any valid session cookie (or with an unauthenticated session), craft a POST request to AdminController.php with the edit-admin action and the target adminid. Observe that the server accepts the request and executes the update logic, then redirects the user (even though no login was performed). (Optional SQL injection) Supply a malicious value for email or adminid to alter the query logic (e.g., adminid=1 OR 1=1) [ref_id=1].
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.