# IDOR2

## Insecure Direct Object Reference (IDOR) - authenticated <a href="#finding1" id="finding1"></a>

{% hint style="success" %}
Discovered by Dan Gilbert
{% endhint %}

### CVE-2025-60930

### Description

Business Logic Vulnerability in Cornerstone OnDemand LMS v24.2.5.32 Allows Arbitrary Course Completion by Manipulating <mark style="color:red;">`courseId`</mark> Parameter.&#x20;

A Business Logic Vulnerability was discovered in Cornerstone OnDemand LMS v24.2.5.32 that allows an authenticated attacker to artificially mark any course as completed, regardless of whether they have legitimately completed the course. The vulnerability lies in the insufficient validation of the <mark style="color:red;">courseId</mark> parameter during the course completion submission process. After an attacker legitimately completes one course, they can modify the <mark style="color:red;">`courseId`</mark> parameter in the `POST /lms/scorm/clientLMS/Terminate.aspx` request to reflect the GUID of *any* other course. As a result, this arbitrary course can be marked as complete using an existing valid session..

The attack is enabled by weak server-side validation of the completion record submission process, which relies on the client-supplied <mark style="color:red;">`courseId`</mark> without verifying some essential authorization checks.

{% hint style="warning" %}
POST /lms/scorm/clientLMS/Terminate.aspx?user\_id={user\_id}\&aicc\_sid={aicc\_sid}\&corpName={corpName}\&courseId=<mark style="color:red;">{courseId}</mark>
{% endhint %}

***

### Exploit

This flaw can be exploited as follows:

{% stepper %}
{% step %}
The user completes a valid course which triggers a request to the endpoint `POST /lms/scorm/clientLMS/Terminate.aspx`, marking the course as completed, and generating a valid <mark style="color:yellow;">`encrypted`</mark> payload.
{% endstep %}

{% step %}
The attacker intercepts this request and modifies the <mark style="color:red;">`courseId`</mark> parameter to the GUID of another course that they have not completed.
{% endstep %}

{% step %}
The server accepts the manipulated request and marks the arbitrary course as completed using the authenticated user's session.
{% endstep %}
{% endstepper %}

<figure><img src="/files/jmNcvgaI9ihpJoNxDLPf" alt=""><figcaption></figcaption></figure>

{% hint style="danger" %}
This vulnerability allows users to bypass course completion requirements, potentially leading to unauthorized certifications or compliance violations. It undermines the integrity of training and learning programs, as users can gain credit for taking courses they have not completed. In industries that require training for regulatory or legal compliance, such as healthcare or finance, this could have significant negative impacts, including potential legal consequences and loss of trust in the system’s validity.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.offsecguy.com/cve/cornerstone/vulnerabilities/idor2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.