CVE-2014-1637 Information

Description

Command School Student Management System 1.06.01 does not properly restrict access to sw/backup/backup_ray2.php which allows remote attackers to download a database backup via a direct request.

Reference

http://osvdb.org/101888 http://packetstormsecurity.com/files/124708/Command-School-Student-Management-System-1.06.01-SQL-Injection-CSRF-XSS.html http://www.securityfocus.com/bid/64707