# IDOR1

## Insecure Direct Object Reference (IDOR) - authenticated <a href="#finding1" id="finding1"></a>

### CVE-2025-60929

### Description

A Business Logic Vulnerability and Insecure Direct Object Reference (IDOR) was discovered in Cornerstone OnDemand LMS v24.2.5.32. This vulnerability allows an authenticated attacker to artificially mark any course as complete by exploiting insufficient validation in the <mark style="color:red;">`loid`</mark> parameter.&#x20;

Specifically, an attacker can manipulate the <mark style="color:red;">`loid`</mark> parameter in the `/LMS/Video/LaunchVideo.aspx?loid=`<mark style="color:red;">`{GUID}`</mark> URL to correspond to the GUID of *any* course.&#x20;

Subsequently, by using browser developer tools, the attacker can trigger the <mark style="color:red;">`markComplete()`</mark> JavaScript function to submit the course completion action without having necessarily completed the course.

{% hint style="warning" %}
<https://example-pilot.csod.com/LMS/Video/LaunchVideo.aspx?loid=><mark style="color:red;">{GUID}</mark>
{% endhint %}

The <mark style="color:red;">`markComplete()`</mark> function makes a POST request to `/LMS/Video/LaunchVideo.aspx` with the manipulated <mark style="color:red;">`loid`</mark> parameter and appropriate session cookies. The system relies exclusively on client-side mechanisms, without validating or authoritatively verifying the completion process against the actual course content or user progress.

***

### Exploit

This flaw can be exploited as follows:

{% stepper %}
{% step %}
An attacker retrieves and modifies the <mark style="color:red;">`loid`</mark> parameter in the course URL to target *any* specific course GUID.
{% endstep %}

{% step %}
Using browser developer tools (e.g., the console), the attacker triggers the <mark style="color:red;">`markComplete()`</mark> JavaScript function, which submits a POST request marking the course as completed.
{% endstep %}

{% step %}
As there is no proper server-side validation, the course gets incorrectly marked as completed in the system.
{% endstep %}
{% endstepper %}

<figure><img src="/files/gloxTQ4S0MYMMgOp4qXy" alt=""><figcaption><p>Method 1 - Exploit the markComplete() function</p></figcaption></figure>

<figure><img src="/files/LdIwCUKyVQkR6iUTjwoR" alt=""><figcaption><p>Method 2 - Intercept/Modify the POST request</p></figcaption></figure>

{% hint style="danger" %}
This vulnerability allows an attacker to fraudulently complete and potentially gain certifications or credentials for courses they have not legitimately finished. The flaw undermines the integrity of the learning management system (LMS) by enabling unauthorized changes to course statuses. This could have serious implications in regulated or compliance-based industries where proof of training completion is critical.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.offsecguy.com/cve/cornerstone/vulnerabilities/idor1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.