sharma19d/CVE-2025-61148

Releases0

The vulnerability exists in the Student Payment API. The application fails to properly validate whether the user requesting a receipt is authorized to view it. By modifying the rec_no parameter in the API request, an attacker can access the receipts of other users.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-61148 ↗	Dec 4, 2025Thursday, 4 December 2025, 16:16	6.5 MEDIUM	—
An Insecure Direct Object Reference (IDOR) vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'rec_no' parameter in the /student/get-receipt endpoint.