PatchSiren cyber security CVE debrief
CVE-2022-2808 Algan Software CVE debrief
CVE-2022-2808 is a high-severity authorization bypass vulnerability in Algan Software's Prens Student Information System, published by NVD on 2022-12-02 and last modified on 2026-05-20. The flaw, classified as CWE-639 (Authorization Bypass Through User-Controlled Key), enables Object Relational Mapping (ORM) injection attacks. Affected versions span all releases prior to 2.1.11. The CVSS 3.1 score of 8.8 reflects network attack vector, low attack complexity, low privileges required, and high impact across confidentiality, integrity, and availability. Turkish cybersecurity authorities (USOM) issued advisory TR-22-0708 documenting this vulnerability. No known exploitation in ransomware campaigns has been recorded, and the vulnerability does not appear on CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Algan Software
- Product
- Prens Student Information System
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2022-12-02
- Original CVE updated
- 2026-05-20
- Advisory published
- 2022-12-02
- Advisory updated
- 2026-05-20
Who should care
Organizations operating Prens Student Information System deployments; educational institutions using affected versions; security teams responsible for student data protection; compliance officers managing educational data privacy requirements
Technical summary
The vulnerability stems from improper authorization controls where user-supplied keys can manipulate ORM queries. Attackers with low privileges can exploit this to bypass intended access restrictions and inject malicious ORM operations, potentially leading to unauthorized data disclosure, modification, or deletion. The attack requires no user interaction and can be executed remotely over the network.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Prens Student Information System to version 2.1.11 or later
- Review application authorization logic for user-controlled key vulnerabilities
- Implement input validation and parameterized queries to prevent ORM injection
- Monitor for unauthorized data access attempts in application logs
- Conduct security assessment of ORM query construction patterns
Evidence notes
Vendor identification derived from NVD CPE data with medium confidence. CWE-639 classification confirmed by both USOM and NVD sources. Version boundary (before 2.1.11) established through CPE criteria.
Official resources
-
CVE-2022-2808 CVE record
CVE.org
-
CVE-2022-2808 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Disclosed via NVD on 2022-12-02 with subsequent modification on 2026-05-20. USOM published advisory TR-22-0708 as third-party confirmation.