Impact
A flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API's.
As a result, students with a valid user account could:
- Enroll themselves and other users into unpublished course batches
- Enroll themselves in unpublished batches
- Delete sidebar pages
- Post discussion messages in a batch or a course they are not enrolled in.
- Modify course and batch metadata
- Generate course certificates without meeting completion requirements
- Send batch-wide announcements to learners
- Assign badges to themselves and other users
Patches
The problem has been fixed with the release 2.41.0
Acknowledgement
Reported by Devansh - GitHub
Discovered by Zeropath
Impact
A flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API's.
As a result, students with a valid user account could:
Patches
The problem has been fixed with the release 2.41.0
Acknowledgement
Reported by Devansh - GitHub
Discovered by Zeropath