[原文]ApplyYourself i-Class allows remote attackers to obtain sensitive information about their own applications by reusing the hidden ID field, as demonstrated using the id parameter to ApplicantDecision.asp.
ApplyYourself i-Class ApplicantDecesion.asp Result Disclosure
Remote / Network Access
Loss of Confidentiality
ApplyYourself i-Class contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user creates a specially crafted URL and submits it to ApplicantDecision.asp with a 7-digit ID code as the id parameter. The applicants ID code can be found in the HTML code of their admission application stored as a hidden variable. This will disclose the admission results of the applicant before it should be publicly available resulting in a loss of confidentiality.
Currently, there are no known workarounds or upgrades to correct this issue. However, ApplyYourself has released a patch to address this vulnerability.