Open eClass, formerly known as GUnet eClass, is a comprehensive course management system widely used in academic environments. Prior to version 4.2, it contained a Cross-Site Request Forgery (CSRF) vulnerability (CVE-2026-24666) in multiple endpoints restricted to teachers. CSRF vulnerabilities allow attackers to induce authenticated users to perform actions without their consent by exploiting the trust a web application places in the user's browser. In this case, an attacker can craft malicious requests that, when executed by an authenticated teacher, can modify sensitive data such as assignment grades. The vulnerability does not require the attacker to have privileges beyond that of a teacher, but it does require the victim to be authenticated and to interact with a maliciously crafted link or webpage (user interaction). The CVSS 3.1 base score is 6.5, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, but user interaction necessary, and high impact on integrity without affecting confidentiality or availability. The issue was addressed in Open eClass version 4.2 by implementing proper CSRF protections, likely including anti-CSRF tokens and validation of request origins. No known exploits have been reported in the wild, but the vulnerability poses a risk to the integrity of academic records and trust in the platform if left unpatched.

For European organizations, particularly educational institutions using Open eClass, this vulnerability can lead to unauthorized modification of academic records, such as grades, undermining the integrity of educational assessments. This can cause reputational damage, legal liabilities, and loss of trust among students and staff. Since the vulnerability requires an authenticated teacher to be tricked into performing actions, social engineering or phishing campaigns could be used as attack vectors. The impact is primarily on data integrity, with no direct confidentiality or availability impact. However, the manipulation of grades or course content can have significant downstream effects on academic outcomes and institutional credibility. Institutions that have not upgraded to version 4.2 or implemented equivalent mitigations remain vulnerable. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

1. Upgrade all Open eClass installations to version 4.2 or later immediately to apply the official patch addressing the CSRF vulnerability. 2. Implement anti-CSRF tokens on all state-changing endpoints, ensuring that requests include a valid token that is verified server-side. 3. Enforce strict referer or origin header validation to confirm that requests originate from trusted sources. 4. Educate teachers and staff about phishing and social engineering risks to reduce the likelihood of falling victim to malicious links. 5. Monitor logs for unusual activity related to grade changes or other sensitive operations, enabling early detection of exploitation attempts. 6. Consider implementing multi-factor authentication (MFA) for teacher accounts to add an additional layer of security. 7. Regularly review and audit user permissions to ensure that only authorized personnel have access to sensitive functions. 8. Deploy web application firewalls (WAFs) with rules to detect and block CSRF attack patterns where feasible.