Home Latest Cyber Security News | Network Security Hacking UniverSIS Platform Vulnerability Could Allow Manipulating Students’ Grades
Latest Cyber Security News | Network Security HackingNewsVulnerabilities

UniverSIS Platform Vulnerability Could Allow Manipulating Students’ Grades

by Abeerah Hashim
written by Abeerah Hashim
OAS Platform Bugs

Researchers discovered a major vulnerability in the student grading platform for Greek universities “UniverSIS.” Exploiting the bug could allow an adversary to manipulate students’ academic grades. The maintainers addressed the bug soon after the report.

UniverSIS University Grading Platform Vulnerability

As elaborated in a recent post, the researcher Stavros Mekesis discovered a SQL injection vulnerability in the UniverSIS platform API.

UniverSIS is an open-source platform meant to facilitate Greek universities in maintaining students’ academic grading and related data. The platform is currently in use by numerous Greek universities; hence, any bugs could directly affect a considerable number of students.

According to the researcher, the SQL injection vulnerability existed in the UniverSIS-API via the $select parameter in multiple API endpoints. The bug appeared due to “improper validation of user-supplied input to the $select parameter.

Regarding the impact of exploiting this vulnerability, the researcher stated,

A remote authenticated attacker could send specially crafted SQL statements to a vulnerable UniverSIS API endpoint (e.g. /api/students/me/messages/) using the $select parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.

Exploiting the bug could allow the attacker to retrieve any information from the database, including students’ personal details and academic records. Also, the attacker could modify the details in the databases, hence disrupting university records.

The researcher has also shared a PoC exploit in the post.

Patch Released

Following this discovery, the researcher promptly notified the platform developers on April 17, 2022. In response, the developers acted quickly to fix the bug the very next day.

This vulnerability, CVE-2022-29603, affected all UniverSIS versions up to 1.2.1.

The researcher confirmed that the team fixed the flaw with commit 39e47d7f. Hence, all universities using the platform should update their systems with the latest UniverSIS release to receive the fix. It is essential now that the PoC exploit is out, and the adversaries won’t miss the chance to use it for malicious purposes.

Let us know your thoughts in the comments.

source: https://portswigger.net/daily-swig/student-grades-stored-in-greek-education-platform-universis-could-be-manipulated-via-sqli

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...

LayerSlider WordPress Plugin Vulnerability Affected Thousands Of Websites

OWASP Disclosed Data Breach Affecting Old Members

Center Identity Launches Patented Passwordless Authentication for Businesses