Security vulnerabilities

  • Status Closed
  • Assigned To
    nferrari
  • Private
Attached to Project: Security vulnerabilities
Opened by monty099 - 28.04.2025
Last edited by nferrari - 28.04.2025

FS#163 - Title: Unauthorized Student Deletion (On-click) Vulnerability in Alwaysdata Academic Cloud

Summary:
The Alwaysdata Academic Cloud system is vulnerable to an attack that allows an attacker to trick students into deleting their own accounts from the platform unknowingly by clicking a specially crafted link.

On-click Delete any student from the Academic Cloud platform by accessing the deletion URL directly.

Steps to Reproduce:

1. Create an account or log into the Alwaysdata Academic Cloud platform.

2. The deletion URL looks like:

https://admin.alwaysdata.com/academic/detach/

3. Create an HTML proof-of-concept file with the following content:

<a href="https://admin.alwaysdata.com/academic/detach/">click</a>

4. Host this HTML page or send it via a link to the victim.

5. Once the victim clicks on the disguised link, their account is deleted from the Alwaysdata Academic Cloud platform without their knowledge or consent.

An attacker can exploit this vulnerability by sending a direct link to the target (student) who has access to the platform.

Impact:
The exploit enables unauthorized deletion of student accounts from the Alwaysdata Academic Cloud platform. This can lead to the loss of critical student data and disrupt academic processes, potentially damaging data integrity and undermining the platform’s security.

Closed by  nferrari
28.04.2025 16:38
Reason for closing:  Invalid
Additional comments about closing:  

This action does not delete any data.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing