SourceCodester Student Grades Management System grades.php improper authorization

Vulnerability

In SourceCodester Student Grades Management System version 1.0, the grades.php file fails to enforce proper authorization checks on the student_id parameter. An attacker can manipulate this parameter to access or modify grade records belonging to other students. The vulnerability is present in the publicly available code [2].

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted HTTP request to grades.php with a modified student_id value. No prior authentication is required, as the system does not verify the user's identity or permissions before processing the request [2]. The exploit has been publicly disclosed, increasing the risk of active attacks.

Impact

Successful exploitation allows an attacker to view, alter, or delete grade data for any student in the system, leading to unauthorized disclosure or manipulation of academic records. This compromises the confidentiality and integrity of the application's data.

Mitigation

As of the publication date, no official patch has been released. The vendor has not acknowledged the vulnerability. Users should implement additional access controls, such as server-side session validation and authorization checks, or consider migrating to a maintained alternative. The vulnerability is not listed in the CISA KEV at this time.