Is this a valid IDOR/Broken Access Control vulnerability on a university portal?
Hi everyone,
I'm learning web security and came across something on my university's student portal. Before I report it, I'd like to get some opinions on whether this is actually a security vulnerability.
Here's what happened:
- I logged in using my own student account in the university portal.
- While inspecting the requests, I found one like:
GET /app.php?a=getDetailedResults&regno=<my_registration_number> - I changed only the
regnoparameter to another valid registration number using burp suite repeater. - The server returned that student's academic details (grades/CGPA/course information) instead of mine.
I didn't enumerate multiple students or attempt to modify any data. I stopped after confirming the behavior.
My questions are:
- Does this qualify as an IDOR/Broken Access Control vulnerability?
- Is it worth reporting to the university's IT/security team?
- What severity would you typically assign to this if it only allows unauthorized viewing of academic records?
I'm intentionally not naming the university or sharing screenshots with student information because I don't want to expose anyone's data.
Thank you!!
u/Tasty-Bend-7714 — 4 days ago