Description
A security vulnerability has been detected in SourceCodester Onlne Examination & Learning Management System 1.0. This affects an unknown part of the file /ajax_enroll.php of the component Enrollment Management. The manipulation of the argument student_id/schedule_id/action leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The name of the affected product appears to have a typo in it.
Published: 2026-07-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Enrollment Management component of SourceCodester’s Online Examination & Learning Management System allows improper authorization when manipulating the student_id, schedule_id, and action arguments. This weakness can enable an attacker to enroll arbitrary students or perform actions that should be restricted, thereby compromising data integrity and potentially granting elevated privileges. The vulnerability is exploitable remotely and may be used against the public facing endpoint /ajax_enroll.php.

Affected Systems

The affected product is SourceCodester Online Examination & Learning Management System version 1.0. The problematic code resides in the ajax_enroll.php file within the Enrollment Management feature. No other components or editions were identified as vulnerable.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate to high severity for this authorization issue. No EPSS score was provided, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, requiring only crafted HTTP requests to the exposed endpoint. An attacker with remote access can send the altered student_id, schedule_id, and action parameters and bypass existing access controls, potentially enrolling a student for a course without proper authorization.

Generated by OpenCVE AI on July 6, 2026 at 12:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or update that fixes the improper authorization bug in ajax_enroll.php; check the SourceCodester website or vendor portal for releases.
  • If a patch is unavailable, enforce strict access control on the ajax_enroll.php endpoint by requiring authenticated sessions and verifying that the requester has legitimate rights to modify enrollment data before processing the supplied parameters.
  • Implement comprehensive server‑side input validation and authorization checks so that the provided student_id, schedule_id, and action values are cross‑referenced against the authenticated user’s permitted actions; log all enrollment attempts for audit.

Generated by OpenCVE AI on July 6, 2026 at 12:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 00:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in SourceCodester Onlne Examination & Learning Management System 1.0. This affects an unknown part of the file /ajax_enroll.php of the component Enrollment Management. The manipulation of the argument student_id/schedule_id/action leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The name of the affected product appears to have a typo in it.
Title SourceCodester Onlne Examination & Learning Management System Enrollment Management ajax_enroll.php improper authorization
First Time appeared Sourcecodester
Sourcecodester onlne Examination Learning Management System
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:sourcecodester:onlne_examination_learning_management_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester onlne Examination Learning Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Onlne Examination Learning Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T13:15:27.861Z

Reserved: 2026-07-05T04:08:21.195Z

Link: CVE-2026-14778

cve-icon Vulnrichment

Updated: 2026-07-06T13:15:23.895Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T12:45:05Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-285

    Improper Authorization