CVE-2024-53573

Unifiedtransform v2.X, an open-source school management system, is affected by CVE-2024-53573, an incorrect access control vulnerability classified under CWE-284. The flaw allows unauthorized users to access and manipulate endpoints intended exclusively for administrative use, with the teacher/edit/{id} endpoint specifically impacted. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it represents a critical risk due to its potential for high-impact unauthorized modifications without requiring authentication or user interaction.

Attackers can exploit this vulnerability remotely over the network with no privileges or special conditions needed. Any unauthenticated user, including external adversaries, can directly access the vulnerable endpoint to view, edit, or delete sensitive teacher information, potentially leading to data tampering, unauthorized privilege escalation within the system, or broader compromise of school administrative functions.

Mitigation details are outlined in advisories available at the following references: https://drive.google.com/file/d/14Or6QIpOeLEqdFm1mwxdE_NNCOwMmcFc/view and https://www.getastra.com/blog/vulnerability/improper-access-control-in-school-management-system-unifiedtransform/. Security practitioners should consult these sources for patching instructions, access control hardening recommendations, and any vendor-provided updates to address the exposure in Unifiedtransform v2.X deployments.