PolarLearn Vote API Unvalidated Direction Vulnerability Allows Vote Manipulation

A vulnerability exists in PolarLearn versions prior to 0-PRERELEASE-15 in the vote API route (`POST /api/v1/forum/vote`). The API improperly trusts the `direction` value in the JSON body without validating it at runtime. This lack of validation allows an attacker to send arbitrary strings as `direction`. The downstream component, `VoteServer`, interprets any value that is not `up` or null as a downvote, incorrectly records the invalid value in `votes_data`, and can be exploited to manipulate vote counts and bypass normal voting logic.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of vote counts, disrupting forum rankings and reputation systems that rely on votes.

Reproduction

To reproduce this vulnerability, send a POST request to the `/api/v1/forum/vote` endpoint with a JSON body that includes a `postId` and a `direction` value that is not `up` or null, such as 'x'. The server will treat this as a downvote and record the invalid direction in the votes data. This process can be repeated to continuously decrease the vote count for the specified post, effectively bypassing the intended vote tracking system.

Remediation

Users are advised to update to PolarLearn version 0-PRERELEASE-15 or later, where this vulnerability has been fixed.