Vulners
Lucene search
📄 Unifiedtransform 2.x Course Editor Missing Authorization
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2025-46204 | 29 May 202519:36 | – | circl |
 | Unifiedtransform 安全漏洞 | 4 Jun 202500:00 | – | cnnvd |
 | CVE-2025-46204 | 4 Jun 202500:00 | – | cve |
 | CVE-2025-46204 | 4 Jun 202500:00 | – | cvelist |
 | EUVD-2025-16923 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-46204 | 4 Jun 202520:15 | – | nvd |
 | CVE-2025-46204 | 4 Jun 202520:15 | – | osv |
 | PT-2025-23849 · Unknown · Unifiedtransform | 4 Jun 202500:00 | – | ptsecurity |
 | CVE-2025-46204 | 6 Jun 202501:01 | – | redhatcve |
 | CVE-2025-46204 | 4 Jun 202500:00 | – | vulnrichment |
10
## Description
Unifiedtransform v2.X is vulnerable to Incorrect Access Control. Any user (students and teachers) can access and modify course details via the /course/edit/{id} endpoints. This functionality intended exclusively for administrative use. Exploiting this flaw allows unauthorized manipulation of course names and categories, compromising data integrity and administrative controls.
Vendor: [Unifiedtransform](https://github.com/changeweb/Unifiedtransform)
## Product
A school management Software
v2.X
---
## Affected components
Access Control Mechanism which is responsible for course permissions.
Route: GET /course/edit/{id}
Controller: CourseController
Method: edit()
And all other endpoints and functionalities related to editing course.
## PoC/Attack Vector
**Step 1:** Install the application as instructed in the official GitHub repository, and log in using the default admin credentials. ([email protected]:password)
**Step 2:** Create several courses to populate data.
**Step 3:** Log in to the application as a Teacher or Student.
**Step 4:** Navigate to the endpoint:
/course/edit/{id}
where ID starts with 1 with any existing course.
suppose if you created 2 courses the ID=1 will be for course 1 and ID=2 will be for course 2
**Step 5:** Change the course name and type and click on update.
---
**Vulnerability Type:** Incorrect Access Control
**Attack Type:** Remote
**Impact:** Escalation of Privileges
**Attack Vectors:** Broken Access Control allows teachers or students to modify data of course.
**Discoverer:** Sneh Bavarva
## Additional information
**Impact:** Unauthorized changes to course information can lead to academic mismanagement and breakdown of curriculum structure. Only administrators should have the authority to modify such sensitive data.
**References:**
https://github.com/changeweb/Unifiedtransform
https://cwe.mitre.org/data/definitions/284.html
- [Unifiedtransform Official Site](http://unifiedtransform.com)
- [Unifiedtransform GitHub Repository](https://github.com/changeweb/Unifiedtransform)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 May 2025 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.16.5
EPSS0.00088
SSVC