CVE-2024-41245 identifies an Incorrect Access Control vulnerability in the Kashipara Responsive School Management System version 3.2.0. The vulnerability exists in the /smsa/view_teachers.php script, which is responsible for displaying teacher details. Due to improper access control checks, remote attackers can access this endpoint without any authentication or privileges, thereby viewing sensitive teacher information. The vulnerability is classified under CWE-284 (Improper Access Control), indicating that the system fails to restrict access to resources properly. The CVSS v3.1 base score is 7.5 (High), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, meaning the attack can be launched remotely over the network with low attack complexity, no privileges, and no user interaction, resulting in a high confidentiality impact but no impact on integrity or availability. No patches or mitigations are currently listed, and no known exploits have been reported in the wild. This vulnerability could lead to unauthorized disclosure of personally identifiable information (PII) of teachers, potentially violating privacy regulations and damaging organizational reputation. The lack of authentication requirements makes this vulnerability particularly dangerous as it can be exploited by any remote attacker scanning for vulnerable instances.

The primary impact of CVE-2024-41245 is the unauthorized disclosure of sensitive teacher information, which may include personal data such as names, contact details, qualifications, and employment records. This breach of confidentiality can lead to privacy violations, regulatory non-compliance (e.g., GDPR, FERPA), and reputational damage for educational institutions using the affected software. Although the vulnerability does not affect data integrity or system availability, the exposure of sensitive data can facilitate further social engineering attacks or identity theft. Organizations worldwide that deploy the Kashipara Responsive School Management System or similar platforms are at risk, especially those with large teacher databases. The ease of exploitation (no authentication or user interaction needed) increases the likelihood of automated scanning and data harvesting by malicious actors. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a significant risk until remediated.

To mitigate CVE-2024-41245, organizations should immediately implement strict access control mechanisms on the /smsa/view_teachers.php endpoint. This includes enforcing authentication and authorization checks to ensure only authorized users can access teacher details. If patches become available from the vendor, they should be applied promptly. In the absence of official patches, network-level controls such as IP whitelisting, VPN access requirements, or web application firewalls (WAFs) configured to block unauthorized requests to the vulnerable endpoint can reduce exposure. Regular security audits and penetration testing should be conducted to verify access controls. Additionally, organizations should monitor logs for unusual access patterns to the teacher details page and educate staff about the risks of data exposure. Data minimization and encryption of sensitive information at rest and in transit can further reduce the impact of potential breaches.