PolarLearn WebSocket Unauthenticated Access Vulnerability Allowing Arbitrary Message Injection
Vulnerability
A vulnerability in PolarLearn versions through 0-PRERELEASE-16 allows unauthenticated users to access the group chat WebSocket. Without logging in, clients can subscribe to any group chat by providing a group UUID and send messages that are stored in the group's chat content, enabling spam and harassment.
Impact
Exploitation of this vulnerability allows for unauthorized reading and writing in group chats, including private ones, with messages being permanently stored in the database. This could be used for spamming, harassment, or tampering with chat history.
Reproduction
To reproduce this vulnerability, connect to the WebSocket at wss://polarlearn.nl/api/v1/ws without authentication. Once connected, subscribe to a group by sending a message that includes the group UUID. After subscribing, inject a message into the group chat. The message will be accepted by the server and stored in the group's chat content, confirming the successful exploitation of the vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.