Vulnerability Information Title: yungifez Skuul v2.6.5: Improper Access Controls Description: The View Fee Invoice feature in Skuul v2.6.5 is vulnerable to an Insecure Direct Object Reference (IDOR). Authenticated student users can manipulate the invoice ID parameter in the URL to access other students' invoices without authorization. This results in unauthorized disclosure of personal and financial information. Steps to Reproduce: 1. Navigate to http://xxx.xxx.8000/login and log in as a student with given credentials: Email: student1@student.com, Password: password. 2. Navigate to Fee and click on "View Fee Invoice". 3. Click on Action and click View and observe the URL in the browser's address bar http://xxx.xxx.8000/dashboard/fees/fee-invoices/46. 4. Modify the invoice ID in the URL (e.g. change 46 to 45): http://xxx.xxx.8000/dashboard/fees/fee-invoices/45. 5. The application displays the invoice of Student XYZ even though Student ABC can print Student XYZ's invoice. Impact: Unauthorized access to other students' invoices. Exposure of personal and financial data. Privacy and data protection violations. Recommendation: Enforce ownership checks before displaying invoices. Implement proper Role-Based Access Control (RBAC). Use non-predictable invoice IDs (e.g., UUIDs). Affected Version: Skuul v2.6.5 Product Source: Website: https://yungifez.github.io/skuul.org/