|
|
|
|
|
|
by hn-miw-i
4904 days ago
|
|
|
It's likely to be an application logic authorization bug; the application doesn't check the context to see if it should return that info. Being web it's something silly like the student-id stored in the user cookie is used to to build the (parameterized) SQL statement. It's not arbitrary injection per say. |
|
|