38590ad9bd
7 changes to exploits/shellcodes Amica Prodigy 1.7 - Privilege Escalation Xiaomi browser 10.2.4.g - Browser Search History Disclosure IPCop 2.1.9 - Remote Code Execution (RCE) (Authenticated) Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection WordPress Plugin LifterLMS 4.21.1 - Access Other Student Grades/Answers via IDOR WordPress Plugin Picture Gallery 1.4.2 - 'Edit Content URL' Stored Cross-Site Scripting (XSS) Simple Library Management System 1.0 - 'rollno' SQL Injection
32 lines
No EOL
1.1 KiB
Text
32 lines
No EOL
1.1 KiB
Text
# Exploit Title: WordPress Plugin LifterLMS 4.21.1 - Access Other Student Grades/Answers via IDOR
|
|
# Date: 2021-05-17
|
|
# Exploit Author: captain_hook
|
|
# Vendor Homepage: https://lifterlms.com
|
|
# Software Link: https://lifterlms.com
|
|
# Version: 4.21.1
|
|
# Tested on: any
|
|
|
|
Description
|
|
|
|
The plugin was affected by an IDOR issue, allowing students to see other student answers and grades
|
|
|
|
Proof of Concept
|
|
|
|
- Add 2 users with Student role for the scenario .
|
|
- Create A course With a quiz ( I picked True or Flase question for my quiz)
|
|
- Set Enrol on Free ( for the ease of scenario )
|
|
- Enrol into the Course with Student B and submit your answer to the Course .
|
|
|
|
The plugin will give a token like :
|
|
https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt_key=wYK
|
|
To Check your answer was true or false.
|
|
|
|
Now Login as a Student A and Enroll in the Course. You can just use
|
|
the URL https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt_key=wYK
|
|
and reach the Student B answer.
|
|
|
|
Fixed in version 4.21.2✓
|
|
|
|
References
|
|
|
|
https://make.lifterlms.com/2021/05/17/lifterlms-version-4-21-2/ |