An Information Disclosure vulnerability exists in UniverSIS-students versions prior to 1.5.0 due to unrestricted access to some particular OData Properties through the UniverSIS API. By sending a specially crafted HTTP GET request to a vulnerable UniverSIS API endpoint such as
/api/students/me/courses/, an authenticated student could exploit this vulnerability to obtain sensitive information (e.g. middle name, Social Security number, and home address) about all instructors in his or her department.
Proof of Concept
UniverSIS has released a patch for this vulnerability on GitLab. Please update UniverSIS-students to the latest version.
Responsible Disclosure Timeline
Vendor Contact: March 6, 2022
Vendor Fix Released: March 15, 2022
Public Advisory: April 4, 2022
CVE Allocation: April 11, 2022