Summary
Security audit identified 10 vulnerabilities (1 CRITICAL, 6 HIGH, 2 MEDIUM, 1 LOW) in the Claroline LMS platform, primarily around missing authentication on several controller endpoints.
Critical Finding: Unauthenticated File Upload (CWE-306)
FileController.php:166 — POST /file/public/upload accepts file uploads with zero authentication:
#[Route(path: '/public/upload', name: 'claro_public_file_upload', methods: ['POST'])]
public function uploadPublicAction(Request $request): JsonResponse
{
// No @IsGranted, no authentication check
$file = $request->files->get('file');
// ... processes and stores file
}Any anonymous user can upload files to the server.
High Findings
-
Missing auth on training session cancel (SessionController.php:130): POST /cursus_session/cancel — any unauthenticated user can cancel training sessions.
-
Missing auth on user listing endpoints (SessionUserController.php:46, EventUserController.php:44): List all registered users/event registrations without authentication.
-
Path traversal / SSRF (EventPresenceController.php:310): file[url] query parameter passed to file_get_contents() — enables reading arbitrary files or SSRF.
-
Missing auth on training list endpoints (EventController.php:96, SessionController.php:71): List training events/sessions without authentication.
Medium Findings
-
AbstractVoter default allow (AbstractVoter.php:160): Default CRUD behavior allows all operations unless explicitly denied — fail-open pattern.
-
Missing auth on import sample (ImportController.php:126): Potential path traversal via sample file download.
Pattern
Multiple Cursus (training management) plugin controllers are missing authentication annotations (@IsGranted) while core controllers properly enforce them — a 1-of-N inconsistency between the plugin and core.
Recommended Fixes
- Add
#[IsGranted('IS_AUTHENTICATED_FULLY')] to uploadPublicAction or restrict to authenticated users
- Add authentication checks to all Cursus plugin controllers
- Validate
file[url] parameter against path traversal and SSRF
- Change
AbstractVoter default from allow to deny
Found during security research. This report describes vulnerability classes and fixes without providing exploit code.
Summary
Security audit identified 10 vulnerabilities (1 CRITICAL, 6 HIGH, 2 MEDIUM, 1 LOW) in the Claroline LMS platform, primarily around missing authentication on several controller endpoints.
Critical Finding: Unauthenticated File Upload (CWE-306)
FileController.php:166—POST /file/public/uploadaccepts file uploads with zero authentication:Any anonymous user can upload files to the server.
High Findings
Missing auth on training session cancel (
SessionController.php:130):POST /cursus_session/cancel— any unauthenticated user can cancel training sessions.Missing auth on user listing endpoints (
SessionUserController.php:46,EventUserController.php:44): List all registered users/event registrations without authentication.Path traversal / SSRF (
EventPresenceController.php:310):file[url]query parameter passed tofile_get_contents()— enables reading arbitrary files or SSRF.Missing auth on training list endpoints (
EventController.php:96,SessionController.php:71): List training events/sessions without authentication.Medium Findings
AbstractVoter default allow (
AbstractVoter.php:160): Default CRUD behavior allows all operations unless explicitly denied — fail-open pattern.Missing auth on import sample (
ImportController.php:126): Potential path traversal via sample file download.Pattern
Multiple Cursus (training management) plugin controllers are missing authentication annotations (
@IsGranted) while core controllers properly enforce them — a 1-of-N inconsistency between the plugin and core.Recommended Fixes
#[IsGranted('IS_AUTHENTICATED_FULLY')]touploadPublicActionor restrict to authenticated usersfile[url]parameter against path traversal and SSRFAbstractVoterdefault from allow to denyFound during security research. This report describes vulnerability classes and fixes without providing exploit code.