Open eClass, formerly known as GUnet eClass, is a widely used course management system designed to facilitate online education. Prior to version 4.2, it contained a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2026-24666 (CWE-352). This vulnerability affects multiple endpoints restricted to teacher roles, allowing an attacker to craft malicious web requests that, when executed by an authenticated teacher, can modify critical data such as assignment grades without the teacher's consent. The attack requires the victim to be logged in and to interact with a malicious webpage or link, which then sends unauthorized commands to the vulnerable endpoints. The vulnerability does not expose confidential information directly but compromises data integrity by enabling unauthorized grade changes. The CVSS 3.1 score of 6.5 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, but user interaction necessary. The scope remains unchanged as the attack affects only the teacher's session. The vulnerability was publicly disclosed and patched in version 4.2, but no known exploits have been reported in the wild. This flaw highlights the importance of implementing anti-CSRF protections such as tokens and referer checks in web applications managing sensitive academic data.

For European organizations, particularly educational institutions using Open eClass, this vulnerability poses a significant risk to the integrity of academic records. Unauthorized modification of assignment grades can undermine trust in the educational process, potentially affecting student evaluations and institutional reputation. While confidentiality and availability are not directly impacted, the integrity breach could lead to administrative burdens, legal challenges, and loss of stakeholder confidence. Institutions with large numbers of teachers using vulnerable versions are at higher risk, as the attack requires authenticated teacher sessions. The attack vector being remote and requiring only user interaction increases the likelihood of exploitation if phishing or social engineering tactics are employed. Given the widespread adoption of Open eClass in Greece and other European countries, the impact could be substantial in those regions. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially if attackers develop exploit kits targeting this vulnerability.

The primary mitigation is to upgrade Open eClass installations to version 4.2 or later, where the vulnerability has been patched. For organizations unable to immediately upgrade, implementing additional protective measures is critical: 1) Deploy anti-CSRF tokens on all state-changing requests within the teacher interface to ensure requests originate from legitimate sources. 2) Enforce strict referer header validation to block requests originating from unauthorized domains. 3) Educate teachers and staff about phishing and social engineering risks to reduce the chance of interacting with malicious links. 4) Monitor logs for unusual activity related to grade modifications, enabling early detection of exploitation attempts. 5) Consider implementing web application firewalls (WAFs) with custom rules to detect and block suspicious CSRF attack patterns. 6) Regularly audit and review user permissions to minimize the number of users with high privileges. These targeted steps go beyond generic advice and address the specific nature of this vulnerability in the Open eClass platform.