Platform
php
Component
eclass
Fixed in
2.25.10.2.1
CVE-2019-9886 describes an Arbitrary File Access vulnerability affecting BroadLearning eClass versions up to 2.25.10.2.1. This flaw allows unauthenticated attackers to download arbitrary files from the server, potentially exposing sensitive data. The vulnerability resides in the download_attachment.php script within the templates or home folders. A patch is available in version 2.25.10.2.1.
The impact of CVE-2019-9886 is significant due to the ease of exploitation and the potential for data exfiltration. An attacker can leverage this vulnerability to download any file accessible to the web server process, including configuration files, source code, database backups, and user data. This could lead to complete compromise of the eClass instance and potentially the entire network if credentials are exposed. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. This vulnerability shares similarities with other file access vulnerabilities where attackers bypass authentication to retrieve sensitive information.
CVE-2019-9886 was publicly disclosed on July 11, 2019. While no active exploitation campaigns have been definitively confirmed, the vulnerability's ease of exploitation and critical severity make it a likely target. No proof-of-concept code has been publicly released, but the vulnerability is straightforward to exploit. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.47% (65% percentile)
CVSS Vector
The primary mitigation for CVE-2019-9886 is to immediately upgrade eClass to version 2.25.10.2.1 or later. If upgrading is not immediately feasible, implement temporary workarounds to restrict access to the downloadattachment.php script. This can be achieved by configuring a Web Application Firewall (WAF) to block requests to this script or by modifying the web server configuration to deny access to unauthorized users. Additionally, review file permissions on the server to ensure that sensitive files are not accessible by the web server process. After upgrading, verify the fix by attempting to access downloadattachment.php with an unauthenticated request; the request should be denied.
Update the eClass platform to version ip.2.5.10.2.1 or later. This update corrects the vulnerability that allows the download of arbitrary files without authentication.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-9886 is a critical vulnerability in BroadLearning eClass versions up to 2.25.10.2.1 that allows attackers to download arbitrary files without authentication.
You are affected if you are using eClass version 2.25.10.2.1 or earlier. Check your version and upgrade immediately.
Upgrade eClass to version 2.25.10.2.1 or later. As a temporary workaround, configure a WAF to block requests to download_attachment.php.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a likely target.
Refer to the BroadLearning security advisory for details: [https://www.broadlearning.org/security-advisories/](https://www.broadlearning.org/security-advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.