CVE-2025-61148

Published December 4th, 2025

View on NVD ↗

CVSS v3

6.5

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

An Insecure Direct Object Reference (IDOR) vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'rec_no' parameter in the /student/get-receipt endpoint.

sharma19d/CVE-2025-61148

The vulnerability exists in the Student Payment API. The application fails to properly validate whether the user requesting a receipt is authorized to view it. By modifying the rec_no parameter in the API request, an attacker can access the receipts of other users.

GitHub