Executive Summary

CVE-2026-30707 is a Broken Access Control vulnerability in the SpeedExam Online Examination System. It occurs because the server-side method ReviewAnswerDetails does not properly verify if a user is authorized or if the exam is completed before returning answer details.

Authenticated attackers can bypass client-side restrictions and directly invoke this method via ASP.NET AJAX PageMethods to retrieve the full answer key for exams without having legitimately completed them.

The vulnerability arises from the server trusting client requests without validating user permissions or exam state, combined with security by obscurity where review buttons are hidden in the UI but the underlying API remains accessible.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can severely impact the integrity of the examination process by allowing unauthorized users to obtain correct answers without taking the exam.

• Attackers can extract full answer keys and accepted correct responses for multiple-choice and text input questions.
• It compromises the fairness and trustworthiness of the exam system, potentially invalidating exam results.
• Organizations relying on SpeedExam for assessments may face reputational damage and loss of confidence in their certification or evaluation processes.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by analyzing the web application's client-side JavaScript and network traffic to identify exposed ASP.NET AJAX PageMethods, especially the ReviewAnswerDetails method."}, {'type': 'paragraph', 'content': 'Using the browser console, you can attempt to call the PageMethods.ExamQuestionAnswerDetails method to retrieve exam questions and their IDs.'}, {'type': 'paragraph', 'content': 'Then, by scripting calls to the ReviewAnswerDetails PageMethod with the obtained Question_id values, you can check if the server returns full answer details without proper authorization.'}, {'type': 'list_item', 'content': 'Open the browser developer console and run: `PageMethods.ExamQuestionAnswerDetails(callback)` to get question IDs.'}, {'type': 'list_item', 'content': 'Iterate over the Question_id values and call: `PageMethods.ReviewAnswerDetails(questionId, callback)` to see if answers are returned.'}, {'type': 'list_item', 'content': 'Monitor network traffic (.HAR files) for calls to .axd files and PageMethods to identify unauthorized access attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing proper server-side access control and validation for the ReviewAnswerDetails PageMethod.

Ensure that the server verifies whether the user is authorized to access the answer details and that the exam is completed before returning any sensitive information.

Avoid relying on client-side restrictions or hiding UI elements as a security measure.

Review and restrict access to exposed ASP.NET AJAX PageMethods to authenticated and authorized users only.

Useful 0 Not Useful 0