CVE-2026-30707

Vulnerability

Details

The vulnerability resides in the ASP.NET AJAX PageMethods implementation used by SpeedExam's online examination platform. The developer inadvertently exposed all administrative and exam interaction functions to the client-side JavaScript, including the ReviewAnswerDetails method. This method lacks server-side authorization checks, allowing any authenticated user to invoke it directly without proper access control [1]. The root cause is a classic case of broken access control, where client-side restrictions are the only barrier to sensitive functionality.

Exploitation

An authenticated attacker can exploit this by using the browser's developer console to call the ReviewAnswerDetails PageMethod. First, the attacker obtains question IDs by calling the ExamQuestionAnswerDetails method, which also requires no parameters. Then, by invoking ReviewAnswerDetails with the obtained question IDs, the server returns the correct answers (the answer key) without the attacker having to complete the exam [1]. No additional authentication or network position is required beyond being logged into the platform.

Impact

Successful exploitation allows an attacker to extract the full answer key for any exam, undermining the integrity of the examination system. This can lead to widespread cheating, devaluation of certifications, and loss of trust in the platform. The impact is particularly severe for a SaaS product used by multiple institutions.

Mitigation

The vendor states that this issue was fixed in a backend service update deployed in February 2026. Users are advised to ensure their instance is running the latest version. No workaround is available for unpatched instances.