It's likely to be an application logic authorization bug; the application doesn't check the context to see if it should return that info. Being web it's something silly like the student-id stored in the user cookie is used to to build the (parameterized) SQL statement. It's not arbitrary injection per say.