âť—IDOR2
A Business Logic Vulnerability and Insecure Direct Object Reference (IDOR) was discovered in Cornerstone OnDemand LMS v24.2.5.32.
Insecure Direct Object Reference (IDOR) - authenticated
CVE-202#-#####
Description
Business Logic Vulnerability in Cornerstone OnDemand LMS v24.2.5.32 Allows Arbitrary Course Completion by Manipulating courseId Parameter.
A Business Logic Vulnerability was discovered in Cornerstone OnDemand LMS v24.2.5.32 that allows an authenticated attacker to artificially mark any course as completed, regardless of whether they have legitimately completed the course. The vulnerability lies in the insufficient validation of the courseId parameter during the course completion submission process. After an attacker legitimately completes one course, they can modify the courseId parameter in the POST /lms/scorm/clientLMS/Terminate.aspx request to reflect the GUID of any other course. As a result, this arbitrary course can be marked as complete using an existing valid session..
The attack is enabled by weak server-side validation of the completion record submission process, which relies on the client-supplied courseId without verifying some essential authorization checks.
POST /lms/scorm/clientLMS/Terminate.aspx?user_id={user_id}&aicc_sid={aicc_sid}&corpName={corpName}&courseId={courseId}
Exploit
This flaw can be exploited as follows:
The user completes a valid course which triggers a request to the endpoint POST /lms/scorm/clientLMS/Terminate.aspx, marking the course as completed, and generating a valid encrypted payload.
The attacker intercepts this request and modifies the courseId parameter to the GUID of another course that they have not completed.
The server accepts the manipulated request and marks the arbitrary course as completed using the authenticated user's session.
This vulnerability allows users to bypass course completion requirements, potentially leading to unauthorized certifications or compliance violations. It undermines the integrity of training and learning programs, as users can gain credit for taking courses they have not completed. In industries that require training for regulatory or legal compliance, such as healthcare or finance, this could have significant negative impacts, including potential legal consequences and loss of trust in the system’s validity.
Last updated