- Status Closed
-
Assigned To
nferrari - Private
Opened by monty099 - 28.04.2025
Last edited by nferrari - 28.04.2025
FS#162 - Title: Clickjacking (On-click) Vulnerability in Student Deletion in [admin.alwaysdata.com]
Summary:
The Academic Cloud system of the web application is vulnerable to a clickjacking attack that allows an attacker to trick a user into deleting students from their platform unknowingly.
On-click Delete any student from the Academic Cloud platform by accessing the deletion URL directly.
Steps to Reproduce:
1. Create an account or log into the Academic Cloud platform.
2. The deletion URL looks like:
https://admin.alwaysdata.com/academic/release/{student_id}
3. Create an HTML proof-of-concept file with the following content:
<a href="https://admin.alwaysdata.com/academic/release/{student_id}">click</a>
4. Host this HTML page or send it via a link to the victim.
5. Once the victim clicks on the disguised link, the student is deleted from the Academic Cloud platform without their knowledge or consent.
An attacker can exploit this vulnerability by sending a direct link to the target (administrator or teacher) who has access to manage student accounts.
###POC: https://admin.alwaysdata.com/support/86502/
Impact:
The exploit enables unauthorized deletion of students from the Academic Cloud platform. This can lead to the loss of critical student data and disrupt academic processes, potentially damaging data integrity and undermining the platform’s security.
28.04.2025 16:36
Reason for closing: Invalid
Additional comments about closing:
Hi, this action does not delete any
data.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task