Skuul v2.6.5 - Insecure Direct Object Reference (IDOR) in View Fee Invoice Summary The View Fee Invoice feature in Skuul v2.6.5 is vulnerable to an Insecure Direct Object Reference (IDOR). Authenticated student users can manipulate the invoice ID parameter in the URL to access other students' invoices without authorization. This results in unauthorized disclosure of personal and financial information. Vulnerability Details The invoice viewing endpoint ( ) relies on predictable numeric identifiers and does not enforce proper authorization checks to verify ownership of the requested invoice. When a valid student user alters the value in the URL, the system displays the corresponding invoice regardless of the logged-in user's identity. This lack of access control allows attackers to enumerate invoice IDs and view sensitive information belonging to other students, violating data confidentiality and privacy. Steps to Reproduce 1. Navigate to: http://127.0.0.1:8000/login and log in as a student using the given credentials: - Email: student@student.com - Password: password 2. Navigate to Fees → View Fee Invoice. 3. Click on Action → View, and observe the URL in the browser's address bar: 4. Modify the invoice ID in the URL (e.g., change to ): 5. The application displays the invoice of another student (e.g., student xyz), confirming unauthorized access. Impact Unauthorized Access: Students can view others' invoices. Information Disclosure: Sensitive personal and financial data exposed. Privacy Violation: Breach of student data confidentiality. Compliance Risk: Possible violation of data protection laws. Reputation Damage: Loss of trust in system security. Recommendation Implement ownership checks on the server side to ensure that only the student who owns an invoice can access it. Use role-based access control (RBAC) to restrict access according to user privileges. Replace sequential IDs with non-predictable identifiers (e.g., UUIDs). Validate authorization for every request to sensitive resources before returning data. Log and monitor all access to financial data endpoints for suspicious activity. Conduct a full access control review across all modules to identify and patch similar vulnerabilities. Affected Version Skuul v2.6.5 Credits Zeeshan Khan