Description
An issue was discovered in SpeedExam Online Examination System (SaaS) after v.FEV2026. It allows Broken Access Control via the ReviewAnswerDetails ASP.NET PageMethod. Authenticated attackers can bypass client-side restrictions and invoke this method directly to retrieve the full answer key. The provider states that this issue is "Fixed in [02/2026] backend service update."
Published: 2026-03-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Compromise
Action: Patch Immediately
AI Analysis

Impact

An authentication bypass vulnerability exists in the SpeedExam Online Examination System, where a manual override of client‑side controls on the ReviewAnswerDetails PageMethod exposes the full answer key to authenticated users. The flaw permits attackers with credentials to download every answer key, compromising the confidentiality and integrity of exam content and potentially enabling cheating.

Affected Systems

SpeedExam Online Examination System SaaS versions released after v.FEV2026 are affected. The issue applies to all environments running the unpatched backend service until the February 2026 update is applied.

Risk and Exploitability

The CVSS base score of 8.1 marks the vulnerability as high severity, and the EPSS score of less than 1% suggests low probability of community exploitation. The flaw requires authenticated access; however, attacker can force the PageMethod to return the entire answer key bypassing client‑side checks. Organizations that expose this endpoint to students or generic users face significant risk to exam integrity, and the vulnerability is not listed in the CISA KEV catalog. Prompt remediation is essential.

Generated by OpenCVE AI on March 24, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the February 2026 backend service update that fixes the ReviewAnswerDetails access control flaw.
  • Verify that the update has removed the ability to retrieve full answer keys via the ReviewAnswerDetails method.
  • If the patch is not yet available, restrict the ReviewAnswerDetails endpoint to a limited set of trusted administrative accounts and disable any public API access.
  • Monitor system logs for abnormal calls to the ReviewAnswerDetails method to detect potential exploitation attempts.
  • Stay informed of further vendor advisories and apply any subsequent updates promptly.

Generated by OpenCVE AI on March 24, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Title SpeedExam Online Examination System ReviewAnswerDetails Access Control Bypass Exposes Full Answer Key

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in SpeedExam Online Examination System (SaaS) after v.FEV2026. It allows Broken Access Control via the ReviewAnswerDetails ASP.NET PageMethod. Authenticated attackers can bypass client-side restrictions and invoke this method directly to retrieve the full answer key An issue was discovered in SpeedExam Online Examination System (SaaS) after v.FEV2026. It allows Broken Access Control via the ReviewAnswerDetails ASP.NET PageMethod. Authenticated attackers can bypass client-side restrictions and invoke this method directly to retrieve the full answer key. The provider states that this issue is "Fixed in [02/2026] backend service update."

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title SpeedExam Online Examination System ReviewAnswerDetails Access Control Bypass Exposes Full Answer Key

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Speedexam
Speedexam online Examination System
Vendors & Products Speedexam
Speedexam online Examination System

Tue, 17 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in SpeedExam Online Examination System (SaaS) after v.FEV2026. It allows Broken Access Control via the ReviewAnswerDetails ASP.NET PageMethod. Authenticated attackers can bypass client-side restrictions and invoke this method directly to retrieve the full answer key
References

Subscriptions

Speedexam Online Examination System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T15:31:21.485Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30707

cve-icon Vulnrichment

Updated: 2026-03-18T13:36:09.012Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T20:16:13.870

Modified: 2026-03-24T18:16:09.080

Link: CVE-2026-30707

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:59Z

Weaknesses