AlekSIS-Core Incorrect Access Control Vulnerability Allowing Unauthenticated PDF Access

A vulnerability in AlekSIS-Core exists due to incorrect access control, allowing unauthenticated users to access all PDF files generated within the last 24 hours. This issue affects AlekSIS-Core versions 3.0, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.0, and 3.2.1. The vulnerability arises because the permission check for accessing PDF files is only enforced for users with a specific persona, enabling ID guessing to access other PDF files.

Impact

Exploitation of this vulnerability allows unauthorized access to sensitive PDF files, such as substitution plans and class register printouts, generated by third-party applications, within a 24-hour window.

Reproduction

To reproduce this vulnerability, an unauthenticated user can request the generation of a PDF file, obtain its ID from the GraphQL response, and then manipulate the ID to access other PDF files created in the last 24 hours. This exploitation takes advantage of the lack of proper access controls for users without a persona.

Remediation

The vulnerability has been fixed in AlekSIS-Core version 4.0.0, with backported fixes available in versions 3.1.7 and 3.2.2. Users can update to these versions by running 'pip3 install -U aleksis-core==3.1.7' or 'pip3 install -U aleksis-core==3.2.2' in their virtual environment.