Executive Summary

CVE-2026-24774 is a business logic vulnerability in the Open eClass platform (versions up to 4.1) that allows authenticated students to fraudulently mark themselves as present in attendance activities, including those that have already expired.

The flaw exists because the attendance module fails to properly enforce authorization and state validation. A student can craft a special URL with parameters like course ID, attendance ID, and an incremental actId to mark attendance regardless of the activity’s actual status or prior attendance records.

This means students can manipulate attendance data, compromising the integrity of academic records. Exploitation requires only low privileges (student role) and no user interaction beyond accessing the crafted URL.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing students to fraudulently mark themselves as present in attendance activities, including those that have already expired.

Such manipulation compromises the integrity of academic records, potentially affecting attendance tracking, grading, and overall course management.

Since the attack requires only low privileges and minimal effort, it poses a moderate risk to the accuracy and trustworthiness of attendance data.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or unauthorized access to the attendance module URLs that include parameters such as course ID, attendance ID, and actId. Specifically, look for HTTP requests where authenticated student accounts access URLs similar to: http://<eclass_server>/modules/attendance/index.php?course=...&attendance_id=...&actId=...&qrCode_presence=true.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can analyze web server logs for such crafted URLs accessed by student roles, especially for attendance activities that are expired or should not be accessible.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect this activity include:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious attendance URL access: grep -i 'modules/attendance/index.php' /var/log/apache2/access.log | grep -E 'attendance_id=[0-9]+'"}, {'type': 'list_item', 'content': "Filter logs for specific actId parameters that may indicate manipulation: grep 'actId=' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Correlate these log entries with user roles to identify if accessed by authenticated students.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Open eClass platform to version 4.2 or later, where this business logic vulnerability has been patched.

Until the upgrade can be applied, consider restricting access to the attendance module URLs to prevent students from manually crafting URLs to mark attendance.

Additionally, monitor and audit attendance records for suspicious entries that may indicate exploitation of this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated students to fraudulently mark themselves as present in attendance activities, compromising the integrity of academic records. This manipulation of attendance data reflects a low integrity impact but does not directly affect confidentiality or availability.

There is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0