These security issues were responsibly disclosed to affected parties before public release, along with technical details and timelines.

[CVE REQUESTED] Unauthenticated Internal API Testing Interface Exposing Hardcoded Production Credentials

Summary A publicly accessible internal API testing tool was discovered on Ednovation’s development subdomain. This tool contains hardcoded production credentials and allows unauthenticated users t...

[CVE REQUESTED] phpinfo() Exposure on Ednovation's Production Subdomain

Summary A publicly accessible PHP configuration page (phpinfo()) was discovered on Ednovation’s production subdomain eproject.ednoland.com. The exposure reveals sensitive server configuration deta...

[CVE REQUESTED] Directory Listing Exposure on Ednovation's Production Subdomain EProject

Summary A directory listing exposure was identified on Ednovation’s production subdomain eproject.ednoland.com. The vulnerability reveals sensitive server directories, configuration folders, and i...

[CVE REQUESTED] Weak Password Hashing Using MD5 in Ednovation's AIMath Web App

Summary A cryptographic weakness was discovered in the AIMath Web App, a math learning platform for children operated by Ednovation. User passwords are stored using the obsolete and insecure MD5 h...

[CVE REQUESTED] Directory Listing Exposure on Ednovation's Development Subdomain

Summary A publicly accessible directory listing was found on Ednovation’s development subdomain, exposing the internal file structure of a web application, including PHP request handlers, code lib...

[CVE REQUESTED] Public Data Exposure via Broken Auth in AIMath Web App

Summary A critical security flaw was identified in the AIMath Web App, a math learning platform operated by Ednovation, which exposes student and parent personal data via unauthenticated GET APIs....

[CVE REQUESTED] ParentCommApp SQL Injection Backend API

Summary A SQL injection vulnerability was identified in a backend API supporting Ednovation’s ParentCommApp — a communication platform used by preschools and parents. The vulnerability allows atta...

[CVE REQUESTED] ParentCommApp Insecure Direct Object Reference (IDOR)

Summary A critical Insecure Direct Object Reference (IDOR) vulnerability was discovered in Ednovation’s ParentCommApp for iOS, allowing authenticated users to retrieve private data of other childr...

[CVE REQUESTED] Broken JWT Authentication – Hardcoded Shared Secret in ParentCommApp (iOS)

Summary A critical design flaw was discovered in the JWT authentication implementation used by ParentCommApp, an iOS app developed by Ednovation. The app includes a hardcoded shared secret key use...

[CVE REQUESTED] Unauthenticated API Exposure in Ednovation ParentCommApp

Summary A critical security vulnerability was discovered in ParentCommApp — an iOS mobile application used by preschools and parents for communication within the Ednovation ecosystem. The vulnera...