Open eClass Attendance Manipulation Vulnerability

A business logic vulnerability exists in the Open eClass platform, prior to version 4.2, allowing authenticated students to improperly mark themselves as present in attendance activities, including those that have already expired. This is achieved by directly accessing a crafted URL, exploiting a flaw in the attendance module that fails to enforce proper authorization and state validation. As a result, students can manipulate attendance records, leading to integrity violations in academic data.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of attendance records, creating false representations of student participation and potentially impacting academic evaluations.

Reproduction

To reproduce this vulnerability, authenticate as a student and identify an expired attendance activity. Then, manually construct a URL that includes the course ID, attendance ID, and a parameter to indicate presence. Access this URL in a web browser, and the application will incorrectly register the student as present.

Remediation

Users are advised to update to Open eClass version 4.2 or later, where this vulnerability has been patched.