Impact
A flaw in the Enrollment Management component of SourceCodester’s Online Examination & Learning Management System allows improper authorization when manipulating the student_id, schedule_id, and action arguments. This weakness can enable an attacker to enroll arbitrary students or perform actions that should be restricted, thereby compromising data integrity and potentially granting elevated privileges. The vulnerability is exploitable remotely and may be used against the public facing endpoint /ajax_enroll.php.
Affected Systems
The affected product is SourceCodester Online Examination & Learning Management System version 1.0. The problematic code resides in the ajax_enroll.php file within the Enrollment Management feature. No other components or editions were identified as vulnerable.
Risk and Exploitability
The CVSS base score of 6.9 indicates moderate to high severity for this authorization issue. No EPSS score was provided, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, requiring only crafted HTTP requests to the exposed endpoint. An attacker with remote access can send the altered student_id, schedule_id, and action parameters and bypass existing access controls, potentially enrolling a student for a course without proper authorization.
OpenCVE Enrichment