IDOR1

A Business Logic Vulnerability and Insecure Direct Object Reference (IDOR) was discovered in Cornerstone OnDemand LMS v24.2.5.32.

Insecure Direct Object Reference (IDOR) - authenticated

CVE-202#-#####

Description

A Business Logic Vulnerability and Insecure Direct Object Reference (IDOR) was discovered in Cornerstone OnDemand LMS v24.2.5.32. This vulnerability allows an authenticated attacker to artificially mark any course as complete by exploiting insufficient validation in the loid parameter.

Specifically, an attacker can manipulate the loid parameter in the /LMS/Video/LaunchVideo.aspx?loid={GUID} URL to correspond to the GUID of any course.

Subsequently, by using browser developer tools, the attacker can trigger the markComplete() JavaScript function to submit the course completion action without having necessarily completed the course.

https://example-pilot.csod.com/LMS/Video/LaunchVideo.aspx?loid={GUID}

The markComplete() function makes a POST request to /LMS/Video/LaunchVideo.aspx with the manipulated loid parameter and appropriate session cookies. The system relies exclusively on client-side mechanisms, without validating or authoritatively verifying the completion process against the actual course content or user progress.

Exploit

This flaw can be exploited as follows:

1

An attacker retrieves and modifies the loid parameter in the course URL to target any specific course GUID.

2

Using browser developer tools (e.g., the console), the attacker triggers the markComplete() JavaScript function, which submits a POST request marking the course as completed.

3

As there is no proper server-side validation, the course gets incorrectly marked as completed in the system.

Method 1 - Exploit the markComplete() function
Method 2 - Intercept/Modify the POST request

This vulnerability allows an attacker to fraudulently complete and potentially gain certifications or credentials for courses they have not legitimately finished. The flaw undermines the integrity of the learning management system (LMS) by enabling unauthorized changes to course statuses. This could have serious implications in regulated or compliance-based industries where proof of training completion is critical.

Last updated