Key Information from the Vulnerability Disclosure Report Date Reported: 6-Aug-2025 Title: Insecure Direct Object Reference (IDOR) in EduplusCampus Student Payment API Summary: A critical vulnerability has been identified in the EduplusCampus system that allows unauthorized access to the personal and financial details of other students, including: Full Name Roll Number Payment Amount Payment Date Transaction Mode Bank Details Transaction ID (TID) The issue is due to Insecure Direct Object Reference (IDOR) in the API handling payment information. Steps to Reproduce: 1. Login to the student portal. 2. Intercept the POST request made to the endpoint using tools like Burp Suite. 3. Modify the request payload by changing only the parameter (e.g., increment/decrement the receipt number). 4. Submit the modified request. 5. Observe that the API returns another student's details without any authorization check.