Impact
openSIS Classic 9.3 contains an insecure direct object reference that allows any authenticated user with messaging module access to retrieve details of any sent message by specifying an arbitrary mail_id value. This flaw can expose personal email contents or metadata, violating confidentiality and potentially revealing sensitive student or staff information. The weakness is classified as CWE‑639, a classic IDOR scenario.
Affected Systems
The vulnerability impacts OS4ED openSIS Classic version 9.3 running on Linux, macOS, or Windows operating systems. Users who are authenticated and have permission to use the messaging module are at risk.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity due to confidentiality impact and the need for authentication. EPSS data is unavailable, but the flaw is not in the CISA KEV list, suggesting no known widespread exploitation yet. The attack requires legitimate module access; however, any user with that access can exploit the flaw, making it a significant risk for environments where messaging permissions are broadly granted.
OpenCVE Enrichment