CVE-2025-61148 is an Insecure Direct Object Reference (IDOR) vulnerability identified in the EduplusCampus 3.0.1 Student Payment API. The vulnerability arises from insufficient authorization checks on the 'rec_no' parameter within the /student/get-receipt API endpoint. Authenticated users can exploit this flaw by modifying the 'rec_no' parameter to retrieve payment receipts and associated personal and financial information of other students, bypassing intended access controls. This vulnerability falls under CWE-639, which relates to authorization errors leading to unauthorized access to objects. The CVSS v3.1 base score is 6.5, reflecting a medium severity with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). The vulnerability does not require user interaction but does require the attacker to be authenticated, which limits exposure to internal or registered users. No patches or known exploits have been reported as of the publication date, December 4, 2025. The vulnerability poses a significant risk of unauthorized disclosure of sensitive student data, including personal identifiers and financial information, which could lead to privacy violations and potential regulatory non-compliance. The root cause is inadequate server-side authorization validation, allowing direct object references to be manipulated without verifying user permissions. This type of flaw is common in APIs that do not enforce strict access control checks on resource identifiers.

For European organizations, particularly educational institutions using EduplusCampus 3.0.1, this vulnerability presents a serious risk to student privacy and data protection compliance under regulations such as GDPR. Unauthorized access to personal and financial records can lead to data breaches, reputational damage, and potential legal penalties. The confidentiality of sensitive student information is directly compromised, which may also facilitate identity theft or financial fraud. Since exploitation requires authentication, insider threats or compromised accounts pose a significant risk vector. The lack of impact on integrity and availability means systems remain operational and data unaltered, but the exposure of confidential data alone is critical. The vulnerability could undermine trust in educational service providers and lead to increased scrutiny from data protection authorities. Additionally, the breach of financial data could have cascading effects on payment processing and institutional financial operations.

Organizations should immediately audit and enhance access control mechanisms on the /student/get-receipt API endpoint to ensure that users can only access their own records. Implement strict server-side authorization checks that validate the ownership of the 'rec_no' parameter against the authenticated user's identity. Employ API gateways or web application firewalls (WAFs) with rules to detect and block anomalous parameter tampering attempts. Monitor API logs for unusual access patterns, such as repeated requests with varying 'rec_no' values from the same user account. Enforce the principle of least privilege on user accounts to limit the potential damage from compromised credentials. Educate users and administrators about the risks of credential compromise and implement multi-factor authentication (MFA) to reduce unauthorized access. Coordinate with EduplusCampus vendors to obtain patches or updates addressing this vulnerability and apply them promptly once available. Conduct regular security assessments and penetration testing focused on API endpoints to detect similar authorization weaknesses.