yashpokharna2555 StudentManagementSystem courseDel.php resource injection
Description
A vulnerability was found in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file courseDel.php. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An Insecure Direct Object Reference (IDOR) in StudentManagementSystem's courseDel.php allows remote attackers to delete arbitrary course records without proper authorization.
Vulnerability
The StudentManagementSystem project (rolling release, commit cb2f558ddf8d19396de0f92abf2d224d46a0a203) contains an Insecure Direct Object Reference (IDOR) vulnerability in the file courseDel.php. The vulnerable code at lines 19-21 accepts a user-supplied id parameter via $_GET['id'] and directly uses it in a DELETE FROM course WHERE COURSE_ID = ... SQL query without verifying the current user's session or permissions [1][2]. No version information is disclosed due to the rolling release model.
Exploitation
An attacker can exploit this vulnerability remotely by first authenticating with any valid account (default credentials include admin@admin.com/admin and client@client.com/1234) [2]. Once logged in, the attacker sends a crafted HTTP GET request to the application (e.g., GET /courseDel.php?id=1) using tools like Burp Suite or curl [2]. The server processes the request and deletes the course record matching the supplied ID without checking if the authenticated user has deletion privileges [2]. The same pattern likely affects other deletion endpoints such as studentDel.php and sectionDel.php.
Impact
Successful exploitation allows an attacker with a low-privileged account to delete arbitrary course records from the database. This results in unauthorized data loss and impacts the availability and integrity of course management data. The attacker does not need to be an administrator to perform the deletion, leading to privilege escalation in terms of data modification capabilities [2].
Mitigation
The project maintainer was informed via a GitHub issue but has not responded or released a fix [2]. Since no patched version or workaround has been published, users should implement session-based authorization checks before executing DELETE operations in courseDel.php and similar endpoints, or discontinue use of this software until a security update is provided. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
- GitHub - yashpokharna2555/StudentManagementSystem: Student Management System is a project where all the large records can be easily handled in efficient manner. Technology used for this project are HTML, CSS, JavaScript, PHP, MySQL, SQL
- Insecure Direct Object Reference (IDOR) in courseDel.php allows unauthorized deletion of courses
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in courseDel.php allows any authenticated user to delete courses by supplying an arbitrary ID parameter."
Attack vector
An attacker who has authenticated with any valid account (including a low-privilege client account) can delete courses by sending a GET request to `/courseDel.php?id=
Affected code
The vulnerability is in `courseDel.php`, specifically lines 19–21 where the code executes `DELETE FROM course WHERE COURSE_ID = ' . $_GET['id']` without any access control check [ref_id=1]. The same pattern may exist in other deletion endpoints such as `studentDel.php` and `sectionDel.php` [ref_id=1].
What the fix does
No patch has been published by the project maintainer. The advisory recommends implementing session-based authorization: before performing the DELETE operation, verify that the authenticated user's role is `ADMIN` (e.g., `if ($_SESSION['role'] !== 'ADMIN') { die('Unauthorized'); }`) [ref_id=1]. Additionally, the advisory suggests replacing the raw string concatenation with a parameterized prepared statement to also prevent SQL injection [ref_id=1].
Preconditions
- authAttacker must be authenticated with any valid user account (e.g., the default client account client@client.com / 1234)
- networkThe application must be running and accessible over the network
- authNo special role or permission is required; any logged-in session can trigger the deletion
Reproduction
1. Log in to the application using any valid account (e.g., `client@client.com` / `1234`). 2. Send the following HTTP request: `GET /courseDel.php?id=1 HTTP/1.1` `Host: 127.0.0.1:8000` 3. Observe that the course with `COURSE_ID = 1` (e.g., "BSIT") is deleted from the database, even though the current user should not have permission to delete courses [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/yashpokharna2555/StudentManagementSystem/issues/1mitreexploitissue-tracking
- vuldb.com/submit/813961mitrethird-party-advisory
- vuldb.com/vuln/365419mitrevdb-entrytechnical-description
- vuldb.com/vuln/365419/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.