Full Disclosure mailing list archives

Full disclosure: Edupage web and mobile application authorization bypass leaks PII and IBAN codes

From: Juraj Kosik <juraj.kosik () gmail com>
Date: Tue, 12 May 2026 12:39:30 +0200

VULNERABILITY
Both authenticated and publicly accessible anonymous guest accounts on
Edupage portal allow an attacker to capture the complete list of user IDs,
names (students, parents, and teachers), and the associated banking details
(IBAN codes)

Full disclosure report: https://jkosik.github.io/posts/edupage/
Reference: https://www.edupage.org/

VENDOR:
Applied Software Consultants

PRODUCT:
Edupage - https://www.edupage.org/
Web application and also mobile application (at least 2024.0.25 2.1.72)

AFFECTED COMPONENT
Edupage Payment module

ATTACK TYPE
Remote

DISCOVERER
Juraj Kosik

CVE
CVE-2025-70561
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

Full disclosure: Edupage web and mobile application authorization bypass leaks PII and IBAN codes Juraj Kosik (May 17)