A high-severity vulnerability has been identified in multiple products within the Student Learning Assessment and Support System. This flaw allows an unauthenticated attacker to remotely access a specific page and retrieve sensitive test account credentials, leading to a significant data breach and unauthorized system access. Immediate patching is required to mitigate the risk of account compromise and protect sensitive educational data.

The vulnerability is an Exposure of Sensitive Information (CWE-200) within the Student Learning Assessment and Support System. A specific web page within the application lacks proper access controls, allowing any remote, unauthenticated user to view its contents simply by navigating to the correct URL. This exposed page contains sensitive test account usernames and passwords in a readable format, which an attacker can harvest without needing any special privileges or user interaction.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation would result in a direct breach of user credentials, granting attackers unauthorized access to the learning and assessment platform. The potential consequences include theft of sensitive student data, manipulation of test results, academic integrity violations, and significant reputational damage to the institution. The ease of exploitation—requiring no authentication—presents a critical risk of widespread account compromise.

Immediate Action: Apply the security updates provided by the vendor, JHENG GAO, immediately across all affected systems. After patching, it is crucial to monitor for any signs of exploitation attempts that may have occurred prior to remediation and to review web server and application access logs for indicators of compromise.

Proactive Monitoring: Monitor web server access logs for an unusual volume of requests to specific, non-public pages, especially from untrusted or unknown IP addresses. Security teams should also monitor for a spike in login attempts, both successful and failed, from external sources using the potentially compromised test account credentials.

Compensating Controls: If immediate patching is not feasible, implement a compensating control by configuring a Web Application Firewall (WAF) or web server access rule to explicitly deny all external access to the specific vulnerable URL. Additionally, consider restricting access to administrative or sensitive sections of the application to trusted IP address ranges.

Public Exploit Available: false

Given the High severity (CVSS 7.5) and the direct path to credential compromise with no authentication required, this vulnerability poses a critical threat. Although not currently listed on the CISA KEV catalog, its simplicity makes it a highly attractive target. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patches as the primary remediation action to prevent unauthorized access and a potential data breach.