A high-severity Missing Authorization vulnerability has been identified in the Ventem e-School platform. This flaw allows any authenticated user, regardless of their privilege level, to perform administrative actions, including creating, modifying, and deleting user accounts. Successful exploitation could lead to a complete compromise of user account integrity, operational disruption, and unauthorized access to sensitive data.

The application fails to properly verify if a user is authorized to access administrative functions. While the system checks if a user is authenticated (logged in), it does not check if the authenticated user has the necessary administrative privileges for sensitive actions. A remote attacker with a standard, low-privilege account (e.g., a student or teacher account) can directly call or navigate to administrative endpoints or pages and execute high-privilege operations, such as creating new administrator accounts or deleting existing users.

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation could have a severe impact on business operations and data security. An attacker could create rogue administrator accounts for persistent access, delete or modify legitimate student and faculty accounts causing a denial of service, or alter sensitive information within the system. This poses significant risks, including data breaches, loss of data integrity, operational disruption for the educational institution, and reputational damage.

Immediate Action: Apply the security updates provided by Ventem immediately across all affected instances of the e-School platform. After patching, conduct a thorough audit of all user accounts to identify and remove any unauthorized or maliciously modified accounts. Review server and application access logs for any suspicious activity related to account management originating from non-administrative users.

Proactive Monitoring: Organizations should configure monitoring and alerting on application and web server logs. Specifically, monitor for direct access to administrative URLs or API endpoints (e.g., /admin/users, /api/account/delete) from user accounts that are not designated administrators. An unusual increase in account creation or deletion events should be treated as a potential indicator of compromise.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) rule to block non-administrative users from accessing known administrative paths. As another temporary measure, restrict network access to the application's administrative interface to a limited set of trusted IP addresses belonging to system administrators.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the simplicity of exploitation for an attacker with basic access, this vulnerability presents a significant risk. We strongly recommend that organizations prioritize the immediate application of the vendor-supplied security patches. Following patching, a comprehensive audit of all user accounts is critical to ensure no unauthorized changes were made prior to remediation. Although not on the CISA KEV list, the severity of this vulnerability warrants urgent and immediate attention to prevent potential compromise.