Home
Description
Missing authentication in /admin/student.php and /admin/teacher.php in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to obtain sensitive information (including plaintext password field values) via direct HTTP GET requests to these endpoints without a valid session.
References
projectworlds.com/online-time-table-generator-php-mysql/
youngkevinn.github.io/...E-2025-70147-OTTTG-Info-Disclosure/