CVE-2025-25952 - Insecure Direct Object References (IDOR) Vulnerability in Serosoft Solutions Academia SIS EagleR v1..118: Compromise Sensitive Student Data

A newly discovered Insecure Direct Object References (IDOR) vulnerability in the Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1..118 software could allow attackers to access sensitive student data. Specifically, the component /getStudemtAllDetailsById?studentId=XX is affected, allowing attackers to access the information using a specially crafted API request. This post will detail the exploit, provide a code snippet that demonstrates the problem, and link to original references that describe the vulnerability in detail.

Exploit Details

The vulnerability (CVE-2025-25952) occurs due to a lack of proper access control mechanisms within the component /getStudemtAllDetailsById?studentId=XX of the Serosoft Academia SIS EagleR v1..118 software. Attackers can provide arbitrary student IDs to access sensitive student information without having the necessary permissions.

To exploit the vulnerability, an attacker can craft an API request using the student ID parameter, like this:

GET /getStudemtAllDetailsById?studentId=XX HTTP/1.1
Host: vulnerable.server.com
User-Agent: SomeUserAgent/1.
Accept: */*
Accept-Language: en-US,en;q=.5

In the above example, the attacker simply replaces XX with the target student ID. As a result, the attacker will receive a JSON object containing sensitive data, such as the student's name, mail address, date of birth, and other private information.

For more details on this vulnerability, you can review the following sources

- MITRE CVE Database
- National Vulnerability Database (NVD)

Mitigation

Here are some recommendations for administrators using Serosoft Solutions Pvt Ltd Academia SIS EagleR v1..118 to minimize the risk of exploitation:

1. Implement proper access controls for the /getStudemtAllDetailsById?studentId=XX component to ensure that only authorized users can access sensitive student information.
2. Keep the Academia SIS EagleR software updated to the latest version and apply security patches as soon as they become available.
3. Monitor API requests to the /getStudemtAllDetailsById?studentId=XX component to detect any suspicious activities and block potentially malicious IP addresses.

Conclusion

In summary, CVE-2025-25952 is an Insecure Direct Object References (IDOR) vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1..118 that allows attackers to access sensitive user information via a crafted API request. By exploiting this vulnerability, attackers can potentially harvest a wealth of sensitive data about students, which can be misused for malicious purposes. Administrators should take immediate action to secure their systems, implement proper access controls, and update the software to mitigate this risk.

Timeline

Published on: 03/03/2025 01:15:11 UTC
Last modified on: 03/05/2025 18:15:38 UTC