CVE-2026-24666
CSRF Vulnerability in Open eClass Teachers Allows Grade Manipulation
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gunet | open_eclass_platform | to 4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-24666 is a Cross-Site Request Forgery (CSRF) vulnerability in the Open eClass platform affecting multiple teacher-restricted endpoints in versions prior to 4.2.'}, {'type': 'paragraph', 'content': 'This vulnerability occurs because the application does not properly validate the origin or intent of incoming requests and lacks effective CSRF protection mechanisms.'}, {'type': 'paragraph', 'content': "An attacker can craft malicious requests that, when executed by an authenticated teacherβs browser, cause unauthorized actions such as modifying assignment grades or altering other course-related data without the teacher's consent."}, {'type': 'paragraph', 'content': 'For example, an attacker can create a malicious HTML page that submits a form to the vulnerable grading endpoint using the teacherβs session cookies, changing grades or other data unintentionally.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to induce authenticated teachers to perform unintended actions such as modifying assignment grades or altering course-related data.
The integrity of the grading system and course data can be compromised, potentially leading to unauthorized grade changes.
Since the attack requires the teacher to interact with a malicious page, it exploits user interaction but does not require elevated privileges.
The overall impact is a high integrity impact, meaning data can be altered without authorization, which can undermine trust in the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this CSRF vulnerability involves monitoring for unauthorized or unexpected POST requests to teacher-restricted endpoints, such as /modules/work/index.php, especially those that modify assignment grades or course data.'}, {'type': 'paragraph', 'content': 'Since the vulnerability exploits the lack of CSRF protection, you can look for suspicious HTTP POST requests that do not include proper CSRF tokens or originate from unexpected sources.'}, {'type': 'paragraph', 'content': 'Network monitoring tools or web application firewalls (WAFs) can be configured to log or block such suspicious requests.'}, {'type': 'paragraph', 'content': 'For manual inspection, you can use commands like:'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /modules/work/index.php'"}, {'type': 'list_item', 'content': "Using grep on web server logs to find POST requests to the grading endpoint: grep 'POST /modules/work/index.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Checking for missing or invalid CSRF tokens in requests if logs or application debugging is enabled.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Open eClass platform to version 4.2 or later, where this CSRF vulnerability has been patched.
Until the upgrade can be performed, consider implementing additional CSRF protections such as enforcing CSRF tokens on all teacher-restricted endpoints.
Restrict access to the vulnerable endpoints by network controls or web application firewall rules to block suspicious or unauthorized POST requests.
Educate teachers and users to avoid visiting untrusted or suspicious web pages while logged into the Open eClass platform to reduce the risk of CSRF attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
[{'type': 'paragraph', 'content': "The vulnerability allows attackers to induce authenticated teachers to perform unauthorized actions such as modifying assignment grades without consent. This represents a high integrity impact on the system's data."}, {'type': 'paragraph', 'content': 'While the vulnerability does not directly impact confidentiality or availability, the unauthorized modification of educational records could lead to non-compliance with standards and regulations that require data integrity and accountability, such as GDPR or HIPAA.'}, {'type': 'paragraph', 'content': 'Specifically, GDPR mandates ensuring the accuracy and integrity of personal data, and unauthorized grade changes could violate these principles. Similarly, HIPAA requires safeguarding the integrity of protected health information, and although this system is educational, any regulated data handled similarly would be at risk.'}, {'type': 'paragraph', 'content': 'Therefore, this CSRF vulnerability could undermine compliance by allowing unauthorized data manipulation, potentially leading to regulatory violations if exploited.'}] [1]