CVE-2026-10169
Received Received - Intake
Authentication Bypass via Weak Password Recovery in OUSL-GROUP-BrinaryBrains School Student Management System

Publication date: 2026-05-31

Last updated on: 2026-05-31

Assigner: VulDB

Description
A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controllers/Login.php of the component Forgot Password Endpoint. The manipulation of the argument email results in weak password recovery. The attack can be launched remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-31
Last Modified
2026-05-31
Generated
2026-05-31
AI Q&A
2026-05-31
EPSS Evaluated
N/A
NVD
CVE-2026-10169
EUVD
EUVD-2026-33489
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ousl-group school_student_management_system to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the "Forgot Password" functionality of the OUSL-GROUP-BrinaryBrains School Student Management System, specifically in the ajax_forgot_password endpoint. An attacker can send a POST request with any email address, and the system will immediately reset the password for that account to a new random string without requiring any verification such as CAPTCHA, security questions, or email-based reset tokens.

The system's response differs depending on whether the email exists or not, allowing attackers to enumerate valid accounts by observing the responses. The vulnerable code directly updates the password in the database and returns a JSON response indicating success if the email exists, or an HTTP 500 error if it does not.

There is no rate limiting, CAPTCHA, or user confirmation, making it easy for attackers to exploit this remotely. The vulnerability allows attackers to reset passwords for any valid account without authorization.


How can this vulnerability impact me? :

This vulnerability can have several impacts:

  • Account enumeration: Attackers can identify valid email addresses registered in the system by analyzing the different responses.
  • Unauthorized password resets: Attackers can forcibly reset passwords for any valid account without verification.
  • Denial of Service (DoS): Legitimate users can be locked out of their accounts until they recover access.
  • Lack of user notification: Users are not informed when their passwords are changed, leaving them unaware of unauthorized access.
  • Potential for further attacks: Attackers can use enumerated emails for phishing or credential stuffing attacks.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the behavior of the 'ajax_forgot_password' endpoint when submitting different email addresses via POST requests.

Specifically, sending POST requests with various email addresses and observing the responses can reveal if the system is vulnerable. A successful password reset returns a JSON response with status "true", while an invalid email triggers an HTTP 500 Internal Server Error.

This difference in response allows detection of valid email accounts and confirms the vulnerability.

Example command using curl to test an email address:

  • curl -X POST -d "[email protected]" https://target-system/application/controllers/Login.php/ajax_forgot_password

By automating such requests with different emails and analyzing the HTTP status codes and JSON responses, you can detect the vulnerability and enumerate valid accounts.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include implementing additional verification mechanisms on the password recovery process.

  • Add CAPTCHA or other challenge-response tests to prevent automated abuse.
  • Require email-based reset tokens or confirmation links instead of directly resetting passwords upon receiving an email.
  • Implement rate limiting on the password recovery endpoint to prevent brute force or enumeration attacks.
  • Notify users via email when their password has been reset to alert them of unauthorized changes.

Since the project has not yet responded to the issue, these mitigations should be applied as soon as possible to reduce the risk of exploitation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows attackers to enumerate valid user accounts and forcibly reset passwords without user consent or notification. Such unauthorized access and manipulation of user credentials can lead to unauthorized data access and potential data breaches.

The lack of user notification and absence of verification mechanisms (such as CAPTCHA or email-based reset tokens) increase the risk of undetected account compromise.

These issues can negatively impact compliance with regulations like GDPR and HIPAA, which require protection of personal data, user consent for sensitive operations, and timely breach notifications.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart