Can you explain this vulnerability to me?

CVE-2026-10168 is an Insecure Direct Object Reference (IDOR) vulnerability found in the Parent Controller of the OUSL-GROUP-BrinaryBrains School Student Management System. Specifically, it affects the 'marks' function in the file application/controllers/Parents.php. The vulnerability occurs because the system does not verify whether a student belongs to the logged-in parent before displaying their data.

By manipulating the student ID parameter (param1) in the URL, an attacker who is logged in as a parent can access sensitive academic information, such as marks and class routines, of any student, not just their own children. This allows unauthorized access to other students' data.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to horizontal privilege escalation, where a logged-in parent can view the academic records of other students without authorization.

The impact includes privacy violations as sensitive student information such as marks and class routines can be accessed by unauthorized users.

Additionally, an attacker can enumerate all students' records by sequentially changing the student ID parameter, potentially exposing a large amount of confidential data.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing whether unauthorized access to other students' marks and class routines is possible by manipulating the student ID parameter in the URL while logged in as a parent.

A practical detection method is to log in as a parent user and attempt to access another student's data by changing the student ID parameter in the URL to a different value.

For example, if the URL to view marks is something like: https://example.com/parents/marks?param1=STUDENT_ID, try changing STUDENT_ID to another student's ID and observe if the system improperly displays that student's information.

There are no specific command-line tools or commands provided in the resources, but manual testing via a web browser or automated tools like curl or Burp Suite to modify URL parameters can be used.

Example curl command to test access control by changing the param1 value:

• curl -b cookies.txt "https://example.com/parents/marks?param1=OTHER_STUDENT_ID"

Here, cookies.txt contains the authenticated session cookies of a logged-in parent user.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include implementing proper access control checks in the application to verify that the student ID requested belongs to the logged-in parent before displaying any data.

Specifically, the application should validate the ownership of the student record in the `marks` method of the `Parents.php` controller and related views.

Until a patch or update is available, restrict access to the affected functionality to trusted users only and monitor logs for suspicious activity involving manipulation of student ID parameters.

Additionally, consider implementing web application firewall (WAF) rules to detect and block requests with unusual parameter manipulation patterns.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthorized access to sensitive academic information of students by exploiting an Insecure Direct Object Reference (IDOR) flaw. This leads to privacy violations and horizontal privilege escalation, enabling attackers to view data they should not have access to.

Such unauthorized disclosure of personal and academic data can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over access to personal information and require protection against unauthorized data exposure.

Useful 0 Not Useful 0