Open eClass Cross-Site Request Forgery Vulnerability in Teacher-Restricted Endpoints

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Open eClass platform, prior to version 4.2. This vulnerability exists in multiple teacher-restricted endpoints, allowing attackers to manipulate authenticated teachers into performing unintended actions, such as altering assignment grades, through crafted requests. The affected endpoints lack proper validation of request origins and do not implement effective CSRF protection, enabling exploitation by embedding malicious requests in web pages or emails that authenticated teachers may inadvertently interact with.

Impact

Exploitation of this vulnerability allows for unauthorized actions to be performed on behalf of teachers, such as modifying grades or other course-related information.

Reproduction

To reproduce this vulnerability, log in as a student with an existing assignment submission. Create a malicious HTML page that sends a POST request to the grading endpoint for that assignment, including the necessary grading parameters. Host the page on an external server and send the link to the teacher. When the teacher clicks the link, the request is submitted automatically using their session cookies, without any confirmation. Finally, log in again as the student to verify that the grade has been changed.

Remediation

Users are advised to update to Open eClass version 4.2 or later, where this vulnerability has been patched.