OpenLearn Safe Mode Moderation Bypass Vulnerability

A vulnerability in OpenLearn forum software prior to a specific commit allows unapproved forum posts to be accessed publicly through a direct post-read procedure, even when 'safeMode' is enabled. While the moderation feature hides pending posts from the public forum listing, the direct read function bypasses this restriction, exposing the full content of the post to anyone with the post UUID. This issue arises because the 'getSpecificPost' procedure does not apply the same moderation checks as the post listing flow, creating a straightforward policy bypass for users aware of the UUIDs of pending posts.

Impact

This vulnerability allows any user with knowledge of a pending post's UUID to access unapproved content before it has been reviewed by a moderator, undermining the platform's moderation process.

Reproduction

To reproduce this vulnerability, enable 'safeMode' and create a forum post as a normal user. The post will not appear in the public forum listing due to the moderation mode. However, by using the 'getSpecificPost' function with the post UUID, the full content of the unapproved post can be retrieved, including author data and votes, effectively bypassing the moderation control.

Remediation

Users should update to the version of OpenLearn that includes the patch for this vulnerability.