Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Student grades stored in Greek education platform UniverSIS could be manipulated via SQLi

SQL injection (SQLi) vulnerability in an open source platform developed by Greek universities to manage student data left academic grades at risk of manipulation.

Miscreants leveraging the vulnerability in the application, UniverSIS, could also have retrieved IDs, students’ names, parents’ names, Social Security numbers, home addresses, and home and mobile phones, according to a blog post published by security researcher Stavros Mekesis.

The maintainers released a patch on GitLab a day after they were alerted to the flaw (tracked as CVE-2022-29603).

‘Millions of users’

UniverSIS is a Student Information System (SIS) used by some of the Greece’s largest universities, including the very largest, the Aristotle University of Thessaloniki, to store and manage students’ personally identifiable information, test results, and other sensitive data.

“The platform also handles inactive students and inactive employees,” Mekesis told The Daily Swig. “So, it would be a safe estimate to say that the platform has millions of users.”

Although the attack complexity is low the attacker must be authenticated, albeit with low privileges, such as those of a student, according to Mekesis.

“However, given that many students tend to reuse passwords, once these passwords are compromised, they can be used to break into UniverSIS and exploit the SQLi vulnerability,” Mekesis warned. “Moreover, phishing is a relatively cheap and effective form of attack.”

The UniverSIS SQLi issue involved the $select parameter and affected multiple API endpoints, including /api/students/me/messages/, due to improper validation of user-supplied input.

After sending specially crafted SQL statements to a vulnerable endpoint the attacker could “view, add, modify or delete information in the back-end database”, according to Mekesis.

Prompt response

UniverSIS versions up to and including 1.2.1 are all potentially vulnerable.

Mekesis has advised users to apply a recently issued patch as soon as possible.

“The UniverSIS support team responded instantly” after Mekesis contacted them on April 17, 2022, according to the researcher. The lead developers, Kyriakos and Anthi, rolled out a patch on April 18, said Mekesis, after “Kyriakos worked relentlessly (even on Orthodox Easter Sunday!) to keep Greek universities safe. Bravo!”

It’s the second time this month that Mekesis has documented a bug in UniverSIS, having disclosed an information disclosure vulnerability in the platform three weeks ago.

Source: https://portswigger.net/daily-swig/student-grades-stored-in-greek-education-platform-universis-could-be-manipulated-via-sqli

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Government

NEW YORK (AP) — Damien, age 5, was giddy with excitement as he left a Manhattan homeless shelter, sometimes running and skipping along the...

Government

SEATTLE (AP) — A high school football coach in Washington state who won his job back after the U.S. Supreme Court ruled he could...

Cyber Security

The nation’s cyber defense agency is building onto White House efforts to secure schools’ systems nationwide with the help of major education software companies....

Business News

BREMERTON, Wash. (AP) — An assistant high school football coach in Washington state who lost his job during a controversy over his public post-game prayers is...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO