## Description Unifiedtransform v2.X is vulnerable to Incorrect Access Control. Any user (students and teachers) can access and modify student records via the /students/edit/{id} endpoints. This functionality intended exclusively for administrative use. Exploiting this vulnerability can lead to unauthorized data manipulation and privilege escalation. Vendor: [Unifiedtransform](https://github.com/changeweb/Unifiedtransform) ## Product A school management Software v2.X --- ## Affected components Total Access Control Mechanism which is responsible for enforcing user permissions and roles. Route: GET /students/edit/{id} Controller: UserController Method: editStudents() And all other endpoints and functionalities related to editing student profiles. ## PoC/Attack Vector **Step 1:** Install the application as instructed in the official GitHub repository, and log in using the default admin credentials. (admin@ut.com:password) **Step 2:** Create a school session and add both teachers and students as per the instructions provided in the repository. **Step 3:** Log in to the application as a Teacher or Student. **Step 4:** Navigate to the endpoint: /students/edit/{id} ID=1 is reserved for the Admin. IDs 2, 3, etc., are assigned to Teachers. IDs following those (e.g., 4, 5, ...) are assigned to Students. (For example, if you create 2 teachers and 2 students, then ID=2 will be Teacher 1, ID=3 will be Teacher 2, ID=4 will be Student 1, and ID=5 will be Student 2.) **Step 5:** Change the details and click on update. --- **Vulnerability Type:** Incorrect Access Control **Attack Type:** Remote **Impact:** Escalation of Privileges **Attack Vectors:** Broken Access Control allows teachers or students to modify data of other students. **Discoverer:** Sneh Bavarva ## Additional information **Impact:** This allows unauthorized modifications to other student's data, which should only be accessible by administrators. This can lead to significant data integrity issues and unauthorized privilege escalation. **References:** https://github.com/changeweb/Unifiedtransform https://cwe.mitre.org/data/definitions/284.html - [Unifiedtransform Official Site](http://unifiedtransform.com) - [Unifiedtransform GitHub Repository](https://github.com/changeweb/Unifiedtransform)