- Status Closed
-
Assigned To
nferrari - Private
Opened by monty099 - 28.04.2025
Last edited by nferrari - 28.04.2025
FS#163 - Title: Unauthorized Student Deletion (On-click) Vulnerability in Alwaysdata Academic Cloud
Summary:
The Alwaysdata Academic Cloud system is vulnerable to an attack that allows an attacker to trick students into deleting their own accounts from the platform unknowingly by clicking a specially crafted link.
On-click Delete any student from the Academic Cloud platform by accessing the deletion URL directly.
Steps to Reproduce:
1. Create an account or log into the Alwaysdata Academic Cloud platform.
2. The deletion URL looks like:
https://admin.alwaysdata.com/academic/detach/
3. Create an HTML proof-of-concept file with the following content:
<a href="https://admin.alwaysdata.com/academic/detach/">click</a>
4. Host this HTML page or send it via a link to the victim.
5. Once the victim clicks on the disguised link, their account is deleted from the Alwaysdata Academic Cloud platform without their knowledge or consent.
An attacker can exploit this vulnerability by sending a direct link to the target (student) who has access to the platform.
Impact:
The exploit enables unauthorized deletion of student accounts from the Alwaysdata Academic Cloud platform. This can lead to the loss of critical student data and disrupt academic processes, potentially damaging data integrity and undermining the platform’s security.
28.04.2025 16:38
Reason for closing: Invalid
Additional comments about closing:
This action does not delete any data.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task