u/Tasty-Bend-7714

▲ 7 r/learncybersecurity+1 crossposts

Is this a valid IDOR/Broken Access Control vulnerability on a university portal?

Hi everyone,

I'm learning web security and came across something on my university's student portal. Before I report it, I'd like to get some opinions on whether this is actually a security vulnerability.

Here's what happened:

  • I logged in using my own student account in the university portal.
  • While inspecting the requests, I found one like:GET /app.php?a=getDetailedResults&regno=<my_registration_number>
  • I changed only the regno parameter to another valid registration number using burp suite repeater.
  • The server returned that student's academic details (grades/CGPA/course information) instead of mine.

I didn't enumerate multiple students or attempt to modify any data. I stopped after confirming the behavior.

My questions are:

  1. Does this qualify as an IDOR/Broken Access Control vulnerability?
  2. Is it worth reporting to the university's IT/security team?
  3. What severity would you typically assign to this if it only allows unauthorized viewing of academic records?

I'm intentionally not naming the university or sharing screenshots with student information because I don't want to expose anyone's data.

Thank you!!

reddit.com
u/Tasty-Bend-7714 — 4 days ago