LifterLMS < 4.21.2 – Access Other Student Grades/Answers via IDOR | CVE 2021-24562 | Plugin Vulnerabilities

Description

The plugin was affected by an IDOR issue, allowing students to see other student answers and grades

Proof of Concept

- Add 2 users with Student role for the scenario .
- Create A course With a quiz ( I picked True or Flase question for my quiz)
- Set Enrol on Free ( for the ease of scenario )
- Enrol into the Course with Student B and submit your answer to the Course .

The plugin will give a token like : https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt_key=wYK To Check your answer was true or false.

Now Login as a Student A and Enroll in the Course. You can just use the URL https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt_key=wYK and reach the Student B answer.

Affects Plugins

Fixed in 4.21.2

References

CVE

URL

https://make.lifterlms.com/2021/05/17/lifterlms-version-4-21-2/

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Amirmuhammad vakili

Submitter

captain_hook

Submitter website

https://captainhoook.medium.com/

Verified

Yes

WPVDB ID

d45bb744-4a0d-4af0-aa16-71f7e3ea6e00

Timeline

Publicly Published

2021-05-17 (about 2 years ago)

Added

2021-07-22 (about 2 years ago)

Last Updated

2023-01-24 (about 1 years ago)

Other

Published

Title

Published

2022-11-16

Title

Directorist < 7.4.2.2 - Subscriber+ Arbitrary User Password Update via IDOR

Published

2024-03-29

Title

Whizzy <= 1.1.18 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2022-11-14

Title

TeraWallet - For WooCommerce < 1.4.4 - Subscriber+ Arbitrary Wallet Lock/Unlock via IDOR

Published

2020-06-27

Title

Advanced Forms < 1.6.9 - Subscriber+ Arbitrary User Email Address Update via IDOR

Published

2023-06-27

Title

LearnDash LMS < 4.6.0.1 - User Account Takeover via Insecure Direct Object References