Academic grades were at danger due to a SQL injection (SQLi) vulnerability in an open-source platform established by Greek universities to manage student data.
According to a blog post published by security researcher Stavros Mekesis, miscreants exploiting the weakness in the application UniverSIS might have retrieved IDs, students’ names, parents’ names, Social Security numbers, home addresses, and home and cell phones.
A day after being notified of the flaw, the maintainers released a patch on GitLab (tracked as CVE-2022-29603).
‘Millions of users’
UniverSIS is a Student Information System (SIS) that is used by several of Greece’s top universities, notably the Aristotle University of Thessaloniki, to store and manage students’ personally identifiable information, test results, and other sensitive data. Mekesis told The Daily Swig, “The platform also manages dormant students and inactive employees.”
“As a result, it’s a safe bet to suggest the site has millions of users.” According to Mekesis, despite the attack’s modest complexity, the attacker must be verified, albeit with low privileges, such as those of a student.
“However, because many students reuse passwords, once these passwords have been hacked, they can be used to break into UniverSIS and exploit the SQLi vulnerability,” Mekesis said. “Furthermore, phishing is a relatively low-cost and effective attack.”
Due to poor validation of user-supplied information, the UniverSIS SQLi problem impacted the $select parameter and affected many API endpoints, including /api/students/me/messages/. According to Mekesis, an attacker could “read, add, alter, or delete information in the back-end database” after submitting specially crafted SQL commands to a susceptible endpoint.
Prompt response
All UniverSIS versions prior to 1.2.1 are potentially susceptible. Users should deploy a recently released patch as soon as possible, according to Mekesis. According to the researcher, “the UniverSIS support team responded promptly” after Mekesis contacted them on April 17, 2022.
Kyriakos and Anthi, the principal developers, released a fix on April 18 after “Kyriakos worked tirelessly (even on Orthodox Easter Sunday!) to keep Greek colleges safe,” according to Mekesis. Bravo!” Mekesis has reported a flaw in UniverSIS for the second time this month, having already disclosed an information exposure vulnerability in the platform three weeks ago.
