20 matches found
CVE-2026-24774
Open eClass (formerly GUnet eClass) before version 4.2 is affected by a business‑logic flaw that lets authenticated students mark themselves present in attendance for activities, including those that have expired, by directly accessing a crafted URL. The issue has been patched in version 4.2. Rem...
CVE-2021-44266
CVE-2021-44266 affects GUnet Open eClass (openeclass) prior to version 3.12.2. The vulnerability is an XSS flaw exploitable via the modules/auth/formuser.php auth parameter. Root cause and remediation details are not provided in the supplied documents.
CVE-2020-24381
GUnet Open eClass Platform (openeclass) prior to 3.11 is vulnerable to reading submitted assessments due to directory listing not being blocked and the data directory being inside the web root. This could allow remote attackers to access student submissions. The affected product/version is public...
CVE-2026-24672
The CVE-2026-24672 entry concerns the Open eClass platform (formerly GUnet eClass). Before version 4.2, authenticated students could inject stored JavaScript into user profile fields, which executes when users with viewing privileges access affected pages. The vulnerability has been patched in ve...
CVE-2026-24664
Open eClass (formerly GUnet eClass) is affected prior to version 4.2 by a username enumeration issue where unauthenticated attackers can determine valid accounts by observing differences in login responses. The vulnerability specifically involves the login workflow, including the /login endpoint,...
CVE-2020-37115
GUnet OpenEclass 1.7.3 stores user credentials in plaintext, enabling administrators to view all registered users’ usernames and passwords without encryption. This is documented across multiple connected sources (CVE-2020-37115). The impact is sensitive information exposure and potential credenti...
CVE-2026-24668
CVE-2026-24668 affects the Open eClass platform (formerly GUnet eClass). Before version 4.2, an access-control flaw lets authenticated students add content to existing course units, an action normally restricted to higher-privileged roles. The issue is mitigated in version 4.2. Impact stated in s...
CVE-2020-37113
GUnet OpenEclass 1.7.3 is affected by a file upload extension bypass vulnerability. Authenticated users can rename a PHP file to .php3 or .PhP to bypass the exercise submission file-type checks, upload a web shell, and achieve remote code execution on the server. This is documented across CVE-202...
CVE-2026-24666
Open eClass (formerly GUnet eClass) is affected by a CSRF vulnerability in multiple teacher-restricted endpoints prior to version 4.2. The issue allows authenticated teachers to be induced into performing unintended actions (e.g., modifying assignment grades) via crafted requests. The vulnerabili...
CVE-2026-24671
Open eClass (formerly GUnet eClass) prior to version 4.2 is affected by a Stored XSS vulnerability in multiple high-privilege user input fields. Authenticated teachers/admins can inject malicious JavaScript, executed when other users load affected pages. Red Hat/NVD/CVE aggregations confirm the i...
CVE-2026-24665
Open eClass (formerly GUnet eClass) is affected by CVE-2026-24665 due to a stored XSS vulnerability in uploaded assignment files. Before version 4.2, authenticated students could inject JavaScript that executes when instructors view submissions. The issue has been addressed in version 4.2. Remedi...
CVE-2026-24669
CVE-2026-24669 affects Open eClass (formerly GUnet eClass). Before version 4.2, an insecure password reset mechanism allows a local attacker to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potential account takeover. The issue is mi...
CVE-2026-24773
The Open eClass platform (formerly GUnet eClass) before version 4.2 is affected by an Insecure Direct Object Reference (IDOR) that allows unauthenticated remote attackers to access other users’ personal files by requesting predictable user identifiers. Root cause: insufficient authorization check...
CVE-2020-37112
CVE-2020-37112 affects GUnet OpenEclass 1.7.3. The provided documents describe multiple SQL injection vulnerabilities in the agenda module and other endpoints, exploitable by authenticated attackers to manipulate queries and extract sensitive data via error-based or time-based techniques (via the...
CVE-2020-37116
GUnet OpenEclass 1.7.3 ships with phpMyAdmin 2.10.0.2 by default, enabling remote login. If an attacker gains platform access, they can reach phpMyAdmin, upload a shell, and view the config.php to obtain the MySQL password, enabling full database compromise. The provided documents do not specify ...
CVE-2026-24670
The CVE-2026-24670 entry covers the Open eClass platform (formerly GUnet eClass). Affected versions are those prior to 4.2 where a broken access control vulnerability permits authenticated students to create new course units, an action normally restricted to higher-privilege roles. The issue has ...
CVE-2026-24667
CVE-2026-24667 concerns the Open eClass platform (formerly GUnet eClass). Before version 4.2, the system failed to invalidate active user sessions after a password change, allowing existing session tokens to remain usable and potentially granting unauthorized continued access to user accounts. Th...
CVE-2026-24673
The CVE-2026-24673 entry describes a file upload validation bypass in Open eClass (formerly GUnet eClass) prior to version 4.2. Attackers could embed prohibited extensions inside ZIP archives and rely on the application's decompression to extract them, bypassing file-type checks. This issue has b...
CVE-2026-24674
Open eClass (formerly GUnet eClass) is vulnerable to a Reflected XSS in multiple endpoints prior to version 4.2. The root cause is reflected XSS that allows an attacker to coerce authenticated users into executing arbitrary JavaScript via crafted URLs. Impact is to expose user context data and po...
CVE-2020-37114
CVE-2020-37114 affects GUnet OpenEclass 1.7.3. The flaw arises from improper access controls and information disclosure in multiple modules, allowing both unauthenticated and authenticated users to access sensitive data (system info, application version) and view/download other users’ uploaded as...