Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data.
AnalysisAI
Insecure Direct Object Reference in Zyosoft School App allows authenticated remote attackers to escalate privileges horizontally by manipulating object identifiers in API requests, enabling unauthorized read and write access to other users' personal data including student records, grades, and account information. The vulnerability requires only low-level authentication (PR:L) with no user interaction and poses high confidentiality and integrity risk to multi-tenant educational data. EPSS and KEV data not available; exploitation complexity is low (AC:L) making this accessible to moderately skilled attackers once credentials are obtained.
Technical ContextAI
This is a classic Insecure Direct Object Reference (IDOR) vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The School App by Zyosoft fails to implement proper authorization checks on object-level access control, allowing authenticated users to manipulate reference parameters (likely numeric IDs or GUIDs in API endpoints or URL parameters) to access resources belonging to other users. The application trusts client-supplied object identifiers without validating that the requesting user has legitimate access rights to those objects. This architectural flaw is common in web and mobile applications where authorization logic incorrectly assumes authentication alone is sufficient, or where role-based access control (RBAC) is implemented but object-level permissions are not enforced. The CVSS 4.0 vector confirms network-based exploitation with low complexity and no attack complexity barriers beyond obtaining valid low-privilege credentials.
RemediationAI
Organizations running School App should immediately apply vendor-released security updates by consulting Taiwan CERT advisories at https://www.twcert.org.tw/tw/cp-132-10896-e3240-1.html (Traditional Chinese) and https://www.twcert.org.tw/en/cp-139-10897-64257-2.html (English) for patch availability and installation instructions. If patches are not yet available or cannot be immediately deployed, implement these compensating controls with the following trade-offs: (1) Enable comprehensive API request logging to monitor for sequential object ID enumeration patterns, accepting the performance overhead and storage costs of verbose logging; (2) Implement web application firewall (WAF) rules to detect and block rapid sequential requests to user data endpoints, acknowledging this may cause false positives for legitimate bulk operations by administrators; (3) Conduct emergency access review to ensure user accounts have minimum necessary privilege levels, reducing the pool of credentials that could be exploited; (4) If feasible within application architecture, temporarily restrict API access to trusted IP ranges or VPN-only access, understanding this limits mobile/remote user functionality. Note that compensating controls only reduce attack surface and do not eliminate the underlying authorization flaw.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26772