ZhongQing Education Cloud Platform Information Disclosure Scanner

ZhongQing Education Cloud Platform is a sophisticated solution designed to support educational institutions in teaching and research. Developed for use in educational settings, it provides numerous functionalities to enhance educational workflows. The platform is utilized by educators and administrators to manage educational content, student records, and research data. It is designed to streamline educational processes while maintaining ease of use and accessibility for its users. Due to its extensive range of features, it is commonly adopted by schools and universities seeking to enhance their digital educational infrastructure.

The Information Disclosure vulnerability in the ZhongQing Education Cloud Platform allows unauthorized users to access sensitive information. The vulnerability is significant as it involves an information leakage that could result in the exposure of critical user information. Attackers exploiting this vulnerability could reset user credentials, thereby gaining unauthorized access to the platform. The lack of proper identity verification on certain function pages contributes to this vulnerability, allowing attackers to perform operations on sensitive endpoints. This vulnerability threatens the confidentiality and integrity of the data maintained within the platform.

The vulnerability details revolve around the unauthorized access to sensitive data, including usernames, due to improper identity verification mechanisms. Attackers can exploit this flaw by resetting passwords to default values, such as 123456, utilizing leaked information. This is primarily due to endpoint exposure, allowing direct access to sensitive functionalities without adequate authorization measures. The vulnerable endpoint, identified as '/api/TeacherQuery/SearchTeacherInSiteWithPagerRecords', fails to enforce security mechanisms effectively. The content type 'application/json' and status '200' are indicators of a successful exploitation attempt. These technical loopholes converge to facilitate unauthorized and potentially compromising activity on the platform.

If exploited, this vulnerability could lead to various severe consequences, including privacy breaches and unauthorized access to sensitive system data. Attackers may further compromise the system by altering or deleting data, causing significant disruptions. Unauthorized access can lead to credential resets, resulting in possible malicious activities being undertaken by attackers posing as legitimate users. The exposure of sensitive user data can lead to a deeper compromise of the educational institution's digital infrastructure. Additionally, exploitation could result in reputational damage for the institution and erosion of trust among users.

REFERENCES

• https://www.pwnwiki.org/index.php?title=%E4%B8%AD%E6%85%B6%E7%B4%80%E6%95%99%E8%82%B2%E9%9B%B2%E5%B9%B3%E5%8F%B0%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%26%E6%9C%AA%E6%8E%88%E6%AC%8A%E8%A8%AA%E5%95%8F%E6%BC%8F%E6%B4%9E