Public Security Vulnerability Disclosures
[CVE REQUESTED] Unauthenticated Internal API Testing Interface Exposing Hardcoded Production Credentials
Summary A publicly accessible internal API testing tool was discovered on Ednovation’s development subdomain. This tool contains hardcoded production credentials and allows unauthenticated users t...
[CVE REQUESTED] phpinfo() Exposure on Ednovation's Production Subdomain
Summary A publicly accessible PHP configuration page (phpinfo()) was discovered on Ednovation’s production subdomain eproject.ednoland.com. The exposure reveals sensitive server configuration deta...
[CVE REQUESTED] Directory Listing Exposure on Ednovation's Production Subdomain EProject
Summary A directory listing exposure was identified on Ednovation’s production subdomain eproject.ednoland.com. The vulnerability reveals sensitive server directories, configuration folders, and i...
[CVE REQUESTED] Weak Password Hashing Using MD5 in Ednovation's AIMath Web App
Summary A cryptographic weakness was discovered in the AIMath Web App, a math learning platform for children operated by Ednovation. User passwords are stored using the obsolete and insecure MD5 h...
[CVE REQUESTED] Directory Listing Exposure on Ednovation's Development Subdomain
Summary A publicly accessible directory listing was found on Ednovation’s development subdomain, exposing the internal file structure of a web application, including PHP request handlers, code lib...
[CVE REQUESTED] Public Data Exposure via Broken Auth in AIMath Web App
Summary A critical security flaw was identified in the AIMath Web App, a math learning platform operated by Ednovation, which exposes student and parent personal data via unauthenticated GET APIs....
[CVE REQUESTED] ParentCommApp SQL Injection Backend API
Summary A SQL injection vulnerability was identified in a backend API supporting Ednovation’s ParentCommApp — a communication platform used by preschools and parents. The vulnerability allows atta...
[CVE REQUESTED] ParentCommApp Insecure Direct Object Reference (IDOR)
Summary A critical Insecure Direct Object Reference (IDOR) vulnerability was discovered in Ednovation’s ParentCommApp for iOS, allowing authenticated users to retrieve private data of other childr...
[CVE REQUESTED] Broken JWT Authentication – Hardcoded Shared Secret in ParentCommApp (iOS)
Summary A critical design flaw was discovered in the JWT authentication implementation used by ParentCommApp, an iOS app developed by Ednovation. The app includes a hardcoded shared secret key use...
[CVE REQUESTED] Unauthenticated API Exposure in Ednovation ParentCommApp
Summary A critical security vulnerability was discovered in ParentCommApp — an iOS mobile application used by preschools and parents for communication within the Ednovation ecosystem. The vulnera...