Unauthenticated attackers can gain full administrative control over the ProjectWorlds Online Time Table Generator due to missing session validation on critical management endpoints.

Several administrative scripts located under the /admin/ directory fail to verify if a user is logged in. This allows an unauthenticated remote attacker to add, delete, or modify records by sending direct HTTP requests to these endpoints.

The lack of authentication leads to a complete loss of data integrity and availability. Attackers can wipe schedules, inject malicious data, or disrupt the primary function of the application. The CVSS score of 9.1 reflects the high impact of unauthorized administrative access.

Immediate Action: Update the software to the latest version or manually implement session checks at the beginning of every script within the /admin/ directory.

Proactive Monitoring: Audit web server access logs for requests to /admin/ endpoints that do not originate from authorized IP addresses or lack associated session cookies.

Compensating Controls: Use a reverse proxy or web server configuration to restrict access to the /admin/ directory to a specific whitelist of internal IP addresses.

Public Exploit Available: No

Authentication bypasses on administrative interfaces are severe security failures. We recommend an immediate review of all administrative scripts to ensure robust session validation is enforced, alongside restricting network access to the management portal.