Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for Unifiedtransform by Unifiedtransform
CVE-2024-12307 (GCVE-0-2024-12307)
Vulnerability from cvelistv5 – Published: 2024-12-09 08:50 – Updated: 2024-12-09 15:28
VLAI
Title
Function-Level Access Control Vulnerability Allows Unauthorized Modification of Student Data in Unifiedtransform
Summary
A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://huntr.com/bounties/90a7299e-9233-43fd-b66… | exploit |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Unifiedtransform | Unifiedtransform |
Affected:
2.0
|
|
| unifiedtransform | unifiedtransform |
Affected:
2.0
cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "unifiedtransform",
"vendor": "unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12307",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T15:24:28.435025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T15:28:13.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Unifiedtransform",
"programFiles": [
"https://github.com/changeweb/Unifiedtransform/blob/fac7f551ff9284f9586a6644b057b76c1254c194/app/Http/Controllers/UserController.php#L132"
],
"repo": "https://github.com/changeweb/Unifiedtransform",
"vendor": "Unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ZHAW Information Security Research Group"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available.\u003cbr\u003e"
}
],
"value": "A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T08:50:45.498Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Function-Level Access Control Vulnerability Allows Unauthorized Modification of Student Data in Unifiedtransform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2024-12307",
"datePublished": "2024-12-09T08:50:45.498Z",
"dateReserved": "2024-12-06T15:05:34.408Z",
"dateUpdated": "2024-12-09T15:28:13.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12306 (GCVE-0-2024-12306)
Vulnerability from cvelistv5 – Published: 2024-12-09 08:50 – Updated: 2024-12-09 15:27
VLAI
Title
Access Control Vulnerabilities Allow Unauthorized Access to User Profiles in Unifiedtransform
Summary
Multiple access control vulnerabilities in Unifiedtransform version 2.0 and potentially earlier versions allow unauthorized access to personal information of students and teachers. The vulnerabilities include both function-level access control issues in list viewing endpoints and object-level access control issues in profile viewing endpoints. A malicious student user can access personal information of other students and teachers through these vulnerabilities. At the time of publication of the CVE no patch is available.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://huntr.com/bounties/90a7299e-9233-43fd-b66… | exploit |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Unifiedtransform | Unifiedtransform |
Affected:
2.0
|
|
| unifiedtransform | unifiedtransform |
Affected:
2.0
cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "unifiedtransform",
"vendor": "unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12306",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T15:26:07.359283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T15:27:21.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Unifiedtransform",
"programFiles": [
"https://github.com/changeweb/Unifiedtransform/blob/fac7f551ff9284f9586a6644b057b76c1254c194/app/Http/Controllers/UserController.php#L90",
"https://github.com/changeweb/Unifiedtransform/blob/fac7f551ff9284f9586a6644b057b76c1254c194/app/Http/Controllers/UserController.php#L98"
],
"repo": "https://github.com/changeweb/Unifiedtransform",
"vendor": "Unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ZHAW Information Security Research Group"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple access control vulnerabilities in Unifiedtransform version 2.0 and potentially earlier versions allow unauthorized access to personal information of students and teachers. The vulnerabilities include both function-level access control issues in list viewing endpoints and object-level access control issues in profile viewing endpoints. A malicious student user can access personal information of other students and teachers through these vulnerabilities. At the time of publication of the CVE no patch is available.\u003cbr\u003e"
}
],
"value": "Multiple access control vulnerabilities in Unifiedtransform version 2.0 and potentially earlier versions allow unauthorized access to personal information of students and teachers. The vulnerabilities include both function-level access control issues in list viewing endpoints and object-level access control issues in profile viewing endpoints. A malicious student user can access personal information of other students and teachers through these vulnerabilities. At the time of publication of the CVE no patch is available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T08:50:23.241Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Access Control Vulnerabilities Allow Unauthorized Access to User Profiles in Unifiedtransform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2024-12306",
"datePublished": "2024-12-09T08:50:23.241Z",
"dateReserved": "2024-12-06T15:05:33.280Z",
"dateUpdated": "2024-12-09T15:27:21.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12305 (GCVE-0-2024-12305)
Vulnerability from cvelistv5 – Published: 2024-12-09 08:49 – Updated: 2024-12-09 15:30
VLAI
Title
Object-Level Access Control Vulnerability Allows Unauthorized Access to Student Grades in Unifiedtransform
Summary
An object-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows unauthorized access to student grades. A malicious student user can view grades of other students by manipulating the student_id parameter in the marks viewing endpoint. The vulnerability exists due to insufficient access control checks in MarkController.php. At the time of publication of the CVE no patch is available.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://huntr.com/bounties/90a7299e-9233-43fd-b66… | exploit |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Unifiedtransform | Unifiedtransform |
Affected:
2.0
|
|
| unifiedtransform | unifiedtransform |
Affected:
2.0
cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "unifiedtransform",
"vendor": "unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12305",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T15:29:31.770586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T15:30:21.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Unifiedtransform",
"programFiles": [
"https://github.com/changeweb/Unifiedtransform/blob/fac7f551ff9284f9586a6644b057b76c1254c194/app/Http/Controllers/MarkController.php#L108"
],
"repo": "https://github.com/changeweb/Unifiedtransform",
"vendor": "Unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ZHAW Information Security Research Group"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An object-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows unauthorized access to student grades. A malicious student user can view grades of other students by manipulating the student_id parameter in the marks viewing endpoint. The vulnerability exists due to insufficient access control checks in MarkController.php. At the time of publication of the CVE no patch is available.\u003cbr\u003e"
}
],
"value": "An object-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows unauthorized access to student grades. A malicious student user can view grades of other students by manipulating the student_id parameter in the marks viewing endpoint. The vulnerability exists due to insufficient access control checks in MarkController.php. At the time of publication of the CVE no patch is available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T08:49:53.971Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Object-Level Access Control Vulnerability Allows Unauthorized Access to Student Grades in Unifiedtransform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2024-12305",
"datePublished": "2024-12-09T08:49:53.971Z",
"dateReserved": "2024-12-06T15:05:32.039Z",
"dateUpdated": "2024-12-09T15:30:21.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12307 (GCVE-0-2024-12307)
Vulnerability from nvd – Published: 2024-12-09 08:50 – Updated: 2024-12-09 15:28
VLAI
Title
Function-Level Access Control Vulnerability Allows Unauthorized Modification of Student Data in Unifiedtransform
Summary
A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://huntr.com/bounties/90a7299e-9233-43fd-b66… | exploit |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Unifiedtransform | Unifiedtransform |
Affected:
2.0
|
|
| unifiedtransform | unifiedtransform |
Affected:
2.0
cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "unifiedtransform",
"vendor": "unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12307",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T15:24:28.435025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T15:28:13.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Unifiedtransform",
"programFiles": [
"https://github.com/changeweb/Unifiedtransform/blob/fac7f551ff9284f9586a6644b057b76c1254c194/app/Http/Controllers/UserController.php#L132"
],
"repo": "https://github.com/changeweb/Unifiedtransform",
"vendor": "Unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ZHAW Information Security Research Group"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available.\u003cbr\u003e"
}
],
"value": "A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T08:50:45.498Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Function-Level Access Control Vulnerability Allows Unauthorized Modification of Student Data in Unifiedtransform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2024-12307",
"datePublished": "2024-12-09T08:50:45.498Z",
"dateReserved": "2024-12-06T15:05:34.408Z",
"dateUpdated": "2024-12-09T15:28:13.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12306 (GCVE-0-2024-12306)
Vulnerability from nvd – Published: 2024-12-09 08:50 – Updated: 2024-12-09 15:27
VLAI
Title
Access Control Vulnerabilities Allow Unauthorized Access to User Profiles in Unifiedtransform
Summary
Multiple access control vulnerabilities in Unifiedtransform version 2.0 and potentially earlier versions allow unauthorized access to personal information of students and teachers. The vulnerabilities include both function-level access control issues in list viewing endpoints and object-level access control issues in profile viewing endpoints. A malicious student user can access personal information of other students and teachers through these vulnerabilities. At the time of publication of the CVE no patch is available.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://huntr.com/bounties/90a7299e-9233-43fd-b66… | exploit |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Unifiedtransform | Unifiedtransform |
Affected:
2.0
|
|
| unifiedtransform | unifiedtransform |
Affected:
2.0
cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "unifiedtransform",
"vendor": "unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12306",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T15:26:07.359283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T15:27:21.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Unifiedtransform",
"programFiles": [
"https://github.com/changeweb/Unifiedtransform/blob/fac7f551ff9284f9586a6644b057b76c1254c194/app/Http/Controllers/UserController.php#L90",
"https://github.com/changeweb/Unifiedtransform/blob/fac7f551ff9284f9586a6644b057b76c1254c194/app/Http/Controllers/UserController.php#L98"
],
"repo": "https://github.com/changeweb/Unifiedtransform",
"vendor": "Unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ZHAW Information Security Research Group"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple access control vulnerabilities in Unifiedtransform version 2.0 and potentially earlier versions allow unauthorized access to personal information of students and teachers. The vulnerabilities include both function-level access control issues in list viewing endpoints and object-level access control issues in profile viewing endpoints. A malicious student user can access personal information of other students and teachers through these vulnerabilities. At the time of publication of the CVE no patch is available.\u003cbr\u003e"
}
],
"value": "Multiple access control vulnerabilities in Unifiedtransform version 2.0 and potentially earlier versions allow unauthorized access to personal information of students and teachers. The vulnerabilities include both function-level access control issues in list viewing endpoints and object-level access control issues in profile viewing endpoints. A malicious student user can access personal information of other students and teachers through these vulnerabilities. At the time of publication of the CVE no patch is available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T08:50:23.241Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Access Control Vulnerabilities Allow Unauthorized Access to User Profiles in Unifiedtransform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2024-12306",
"datePublished": "2024-12-09T08:50:23.241Z",
"dateReserved": "2024-12-06T15:05:33.280Z",
"dateUpdated": "2024-12-09T15:27:21.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12305 (GCVE-0-2024-12305)
Vulnerability from nvd – Published: 2024-12-09 08:49 – Updated: 2024-12-09 15:30
VLAI
Title
Object-Level Access Control Vulnerability Allows Unauthorized Access to Student Grades in Unifiedtransform
Summary
An object-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows unauthorized access to student grades. A malicious student user can view grades of other students by manipulating the student_id parameter in the marks viewing endpoint. The vulnerability exists due to insufficient access control checks in MarkController.php. At the time of publication of the CVE no patch is available.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://huntr.com/bounties/90a7299e-9233-43fd-b66… | exploit |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Unifiedtransform | Unifiedtransform |
Affected:
2.0
|
|
| unifiedtransform | unifiedtransform |
Affected:
2.0
cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "unifiedtransform",
"vendor": "unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12305",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T15:29:31.770586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T15:30:21.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Unifiedtransform",
"programFiles": [
"https://github.com/changeweb/Unifiedtransform/blob/fac7f551ff9284f9586a6644b057b76c1254c194/app/Http/Controllers/MarkController.php#L108"
],
"repo": "https://github.com/changeweb/Unifiedtransform",
"vendor": "Unifiedtransform",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ZHAW Information Security Research Group"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An object-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows unauthorized access to student grades. A malicious student user can view grades of other students by manipulating the student_id parameter in the marks viewing endpoint. The vulnerability exists due to insufficient access control checks in MarkController.php. At the time of publication of the CVE no patch is available.\u003cbr\u003e"
}
],
"value": "An object-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows unauthorized access to student grades. A malicious student user can view grades of other students by manipulating the student_id parameter in the marks viewing endpoint. The vulnerability exists due to insufficient access control checks in MarkController.php. At the time of publication of the CVE no patch is available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T08:49:53.971Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Object-Level Access Control Vulnerability Allows Unauthorized Access to Student Grades in Unifiedtransform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2024-12305",
"datePublished": "2024-12-09T08:49:53.971Z",
"dateReserved": "2024-12-06T15:05:32.039Z",
"dateUpdated": "2024-12-09T15:30:21.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}