IDOR Vulnerability in Sun Rise School Management App Exposes Student and User Data

Posted on Author Steve Granger 0

Answer Brief

A high-severity Insecure Direct Object Reference (IDOR) vulnerability has been identified in the 'App好校通' (App School Link) mobile application developed by Sun Rise Technology, potentially allowing authenticated users to access and modify unauthorized records.

Abstract digital network topology showing a highlighted vulnerability path in a school management system infrastructure.

Executive Summary: A high-severity Insecure Direct Object Reference (IDOR) vulnerability has been identified in the 'App好校通' (App School Link) mobile application developed by Sun Rise Technology, potentially allowing authenticated users to access and modify unauthorized records.

Why It Matters

The discovery of CVE-2026-7491 in Sun Rise Technology’s 'App School Link' highlights a persistent risk in regional education technology (EdTech) infrastructure: the failure to implement robust object-level authorization checks. Although the attacker must be authenticated, the Insecure Direct Object Reference (IDOR) flaw allows a low-privileged user to manipulate request parameters to view or edit data belonging to other users. In the context of school management systems, this could lead to the exposure of sensitive student information or unauthorized modification of academic and administrative records. For global security teams, this signal underscores the importance of verifying that third-party mobile applications integrated into organizational workflows—especially those handling identity and personal data—enforce server-side validation for every resource request. The vulnerability was reported by CHT Security and coordinated through TWCERT/CC, emphasizing the active role of Taiwan's security research community in mitigating supply chain risks within local software ecosystems.

Event Type: security
Importance: high

Affected Companies

  • CHT Security
  • Sun Rise Technology

Affected Sectors

  • Cybersecurity
  • Education Technology
  • Mobile Software

Key Numbers

  • CVSS Severity Score: 8.1 (High)
  • Android Patch Version: 1.1.62
  • iOS Patch Version: 2.7.2

Timeline

  1. Vulnerability details and CVE-2026-7491 publicly disclosed by TWCERT/CC.
  2. Sun Rise Technology released patches for both Android and iOS versions of the app.

Sources

Leave a Reply

Your email address will not be published. Required fields are marked *