GUnet OpenEclass Information Disclosure Vulnerability

A vulnerability in GUnet OpenEclass version 1.7.3 allows both unauthenticated and authenticated users to access sensitive information. This includes system details, application version, and other students' uploaded assessments. The issue arises from improper access controls and information disclosure flaws in various modules, enabling unauthorized retrieval of system info, version info, and files from other users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, including personal assessments of other students and potentially exploitable system information.

Reproduction

The vulnerability can be reproduced by accessing specific modules within the OpenEclass platform. Unauthenticated users can retrieve system and version information from designated admin modules. Authenticated students can access other students' assessments by navigating to the 'work' directory of the relevant course.