A critical vulnerability has been identified in multiple products, specifically within the Institute-of-Current-Students 1.0 software. This flaw allows an unauthenticated attacker to retrieve sensitive student details simply by knowing a student's email address, leading to a severe data breach. Immediate patching is required to prevent the mass exposure of Personally Identifiable Information (PII).

The application suffers from an Incorrect Access Control vulnerability, also known as an Insecure Direct Object Reference (IDOR). The mydetailsstudent.php endpoint fails to validate if the user requesting data is authorized to view it. An attacker can craft a simple GET request to this endpoint (e.g., https://[target]/mydetailsstudent.php?myds=[student_email]) and substitute any valid student email address to retrieve that student's personal information without authentication.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the ease of exploitation and the high impact on confidentiality. Successful exploitation would result in a large-scale data breach of sensitive student PII, such as names, addresses, contact information, and academic records. This could lead to significant reputational damage, loss of trust from students and parents, regulatory fines under data protection laws (e.g., GDPR, FERPA), and potential legal action from affected individuals. The compromised data could also be used for identity theft, phishing, and other malicious activities.

Immediate Action: The primary remediation is to identify all instances of the vulnerable software and update to the latest patched version as provided by the vendor. After patching, confirm the vulnerability has been resolved by testing the mydetailsstudent.php endpoint.

Proactive Monitoring: System administrators should actively monitor web server access logs for any requests to the mydetailsstudent.php endpoint. Specifically, look for a high volume of requests from a single IP address or requests enumerating multiple different email addresses in the myds parameter, as these are strong indicators of an exploitation attempt.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block or rate-limit all requests to the mydetailsstudent.php endpoint. Alternatively, if the endpoint's functionality is not business-critical, disable it entirely or restrict access to it at the network or application level to only trusted, authenticated administrative users.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the trivial nature of exploitation, this vulnerability poses an immediate and severe risk to the organization. We strongly recommend that all affected systems be identified and patched immediately. This vulnerability should be prioritized with the highest urgency, equivalent to that of a CISA KEV entry, to prevent a potentially devastating data breach.