Plataforma
php
Componente
openeclass
Corregido en
4.2.1
CVE-2026-24666 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Open eClass, a comprehensive course management system. This vulnerability allows attackers to trick authenticated teachers into performing actions they didn't intend, potentially leading to unauthorized modifications within the platform. The vulnerability affects versions of Open eClass prior to 4.2, and a patch has been released in version 4.2.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modifications to course content and student data. An attacker could craft malicious requests that, when executed by a logged-in teacher, would alter assignment grades, change course settings, or even create new content. This could disrupt the learning environment, compromise data integrity, and potentially lead to academic dishonesty. The blast radius is limited to users with teacher privileges within the affected Open eClass instance; however, the consequences of unauthorized modifications can be significant.
This vulnerability was publicly disclosed on 2026-02-03. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of CSRF vulnerabilities and the availability of automated tools, exploitation is possible, though currently unconfirmed.
Educational institutions and organizations utilizing Open eClass for course management are at risk. Specifically, deployments running versions prior to 4.2, particularly those with shared teacher accounts or inadequate security practices, are more vulnerable. Organizations relying on Open eClass for critical academic processes should prioritize patching.
• php / server:
find /var/www/open-eclass -type f -name '*.php' -print0 | xargs -0 grep -i 'teacher_restricted_endpoint'• generic web: Check for teacher-restricted endpoints accessible without proper CSRF protection. Use curl to test for CSRF tokens.
curl -v 'https://your-open-eclass-instance/teacher/grade_update.php?grade=A&student_id=123' 2>&1 | grep -i 'csrf_token'disclosure
Estado del Exploit
EPSS
0.05% (15% percentil)
CISA SSVC
Vector CVSS
The recommended mitigation for CVE-2026-24666 is to immediately upgrade Open eClass to version 4.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as requiring multi-factor authentication (MFA) for all teacher accounts to add an extra layer of security. Implementing strict Content Security Policy (CSP) headers can also help mitigate CSRF attacks by restricting the sources from which the browser can load resources. After upgrading, confirm the fix by attempting to trigger a grade modification via a crafted CSRF request and verifying that the action is blocked.
Actualice Open eClass a la versión 4.2 o superior. Esta versión contiene la corrección para la vulnerabilidad CSRF. La actualización se puede realizar a través del panel de administración o descargando la última versión del software desde el sitio web oficial y siguiendo las instrucciones de actualización.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-24666 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Open eClass versions before 4.2, allowing attackers to trick teachers into performing unauthorized actions.
You are affected if you are using Open eClass version 4.2 or earlier. Upgrade to 4.2 to mitigate the risk.
The primary fix is to upgrade Open eClass to version 4.2 or later. Consider MFA and CSP as temporary workarounds if immediate upgrade is not possible.
There is no confirmed active exploitation of CVE-2026-24666 at this time, but the vulnerability is potentially exploitable given its nature.
Refer to the Open eClass security advisories on their official website for the latest information and updates regarding CVE-2026-24666.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.