ClassroomIO Broken Access Control Vulnerability Allowing Unauthorized Course Deletion

A broken access control vulnerability exists in ClassroomIO version 0.1.13. It allows student accounts to delete courses from the Explore page without any authorization or authentication checks, bypassing the intended restriction that only administrators can perform deletions. This issue arises from a lack of proper server-side permission validation, enabling students to exploit the exposed deletion functionality.

Impact

Exploitation of this vulnerability leads to unauthorized deletion of courses, causing loss of educational content and disruption of the platform's functionality.

Reproduction

To reproduce this vulnerability, log in as an admin account and create a course, ensuring it is published. Then, log in as a student account. Navigate to the Explore page where the published course is visible. The student will see an option to delete the course. Upon clicking the 'Delete' button and confirming the action, the course will be removed without any authorization checks. Finally, log back in as the admin to verify that the course has been deleted.