Home
Description
An Insecure Direct Object Reference (IDOR) vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'rec_no' parameter in the /student/get-receipt endpoint.
References
drive.google.com/...TY6KU4uaelAUn7L9Cn6XfjC/view?usp=sharing
medium.com/...acked-all-universities-in-my-city-d6b8e320455c
