Skip to content

Instantly share code, notes, and snippets.

@b0mk35h

b0mk35h/CVE-2025-508.md Secret

Created July 25, 2025 17:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save b0mk35h/c4d47b5c4aacecdc8e6c4b02b40ce302 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save b0mk35h/c4d47b5c4aacecdc8e6c4b02b40ce302 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CVE-2025-508.md

Author: Pronay Biswas LinkedIn

CVE-2025-50870 – Broken Access Control

Institute-of-Current-Students is vulnerable to Incorrect Access Control in the mydetailsstudent.php endpoint. The myds GET parameter accepts an email address as input and directly returns the corresponding student's personal information without validating the identity or permissions of the requesting user. This allows any authenticated or unauthenticated attacker to enumerate and retrieve sensitive student details, leading to information disclosure.

Affected Component

  • File: mydetailsstudent.php
  • Endpoint: http://127.0.0.1/Institute-of-Current-Students/mydetailsstudent.php

Attack Vectors
To exploit the vulnerability, an attacker only needs to modify the myds GET parameter to another student's email address (e.g., myds=victim@example.com). No authentication or authorization checks are enforced on the backend to verify that the requesting user is authorized to view the details of the target student. This results in a Broken Access Control vulnerability.

Additional Information
Impact:

  • Unauthorized access to other students' personal information
  • Privacy violation
  • Potential identity theft or profiling
  • Non-compliance with data protection regulations

Affected Product Code Base
Institute of Current-Students PHP Project

Reference
https://cwe.mitre.org/data/definitions/284.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment