CVE-2024-41252 identifies an Incorrect Access Control vulnerability in Kashipara Responsive School Management System version 3.2.0. The affected components are two PHP scripts: admin_student_register_approval.php and admin_student_register_approval_submit.php. These scripts handle the approval process for student registrations within the system. Due to improper access control, remote attackers can access these endpoints without authentication, enabling them to view pending student registrations and approve them arbitrarily. This bypasses intended administrative controls, potentially allowing unauthorized users to manipulate student enrollment data. The vulnerability is classified under CWE-284 (Improper Access Control), indicating a failure to restrict access to privileged functions. The CVSS v3.1 base score is 5.3, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack is network-based, requires no privileges or user interaction, affects confidentiality slightly, but does not impact integrity or availability. No patches or exploits are currently documented, but the risk remains due to the ease of exploitation and the sensitive nature of school management data.

The primary impact of this vulnerability is unauthorized disclosure of student registration information and unauthorized approval of student registrations. This can lead to enrollment of unverified or malicious users into the school system, potentially compromising the integrity of student records and administrative processes. While the vulnerability does not directly affect system availability or data integrity, unauthorized approvals could disrupt school operations and trust in the system. Educational institutions relying on this software may face compliance and privacy issues, especially under regulations protecting student data. The ease of exploitation without authentication increases the risk of automated or mass exploitation attempts. Although no known exploits exist yet, the vulnerability could be leveraged by attackers to gain footholds in school networks or to conduct social engineering attacks using falsified student identities.

To mitigate this vulnerability, organizations should immediately audit and enforce strict access control mechanisms on the affected PHP scripts. This includes implementing robust authentication and authorization checks to ensure only legitimate administrators can view and approve student registrations. Input validation and session management should be reviewed to prevent unauthorized access. If possible, restrict access to these endpoints by IP whitelisting or VPN access to trusted networks. Monitoring and logging of all approval actions should be enhanced to detect suspicious activities. Since no official patch is currently available, consider temporarily disabling the affected approval functions or placing them behind additional authentication layers. Engage with the software vendor or community to obtain or develop patches. Regularly update the system and apply security best practices for web applications to reduce the attack surface.