ClassroomIO Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to Course Settings

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in ClassroomIO version 0.1.13. This vulnerability allows students (non-privileged users) to access restricted course settings, specifically the Share and Invite management interfaces. The issue arises from inadequate authorization checks on sensitive endpoints, enabling unauthorized users to manipulate course settings that should be reserved for administrators.

Impact

Exploitation of this vulnerability allows students to access and modify course settings without proper authorization, including sharing and inviting management features that are intended for course administrators.

Reproduction

To reproduce this vulnerability, an admin user must first create and publish a course. Then, a student user can log in and navigate to the course through the Explore page, noting the course ID from the URL. By directly accessing specific URLs that correspond to the course settings share management and people management panels, the student can observe unauthorized access to these restricted features.