Open eClass Broken Access Control Vulnerability Allows Unauthorized Content Modification in Course Units

A broken access control vulnerability has been identified in the Open eClass platform, prior to version 4.2. This vulnerability allows authenticated students to add content to existing course units, a privilege reserved for higher-privileged roles such as instructors or administrators. The issue arises from inadequate role-based access control enforcement in the 'modules/units/insert.php' endpoint, enabling unauthorized users to modify course materials and structure.

Impact

Exploitation of this vulnerability allows for unauthorized content addition to course units, potentially disrupting the course management system's integrity by enabling students to alter course materials without proper authorization.

Reproduction

To reproduce this vulnerability, authenticate as a student and identify an existing course unit. Then, send a request to the 'modules/units/insert.php' endpoint with valid content parameters. The content will be added to the course unit, bypassing the necessary privileges.

Remediation

Users are advised to update to Open eClass version 4.2 or later, where this vulnerability has been patched.