The Open eClass platform, formerly known as GUnet eClass, is a comprehensive course management system widely used in educational environments. Prior to version 4.2, it suffers from an Insecure Direct Object Reference (IDOR) vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key). This vulnerability arises because the application allows unauthenticated remote attackers to directly request user-specific resources using predictable user identifiers without proper authorization checks. Consequently, attackers can access personal files belonging to other users without any authentication or interaction, leading to a breach of confidentiality. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, meaning it is remotely exploitable over the network with low attack complexity, requires no privileges or user interaction, and impacts confidentiality only. The issue has been addressed and patched in Open eClass version 4.2. No public exploits have been reported so far, but the predictable nature of user identifiers and lack of authentication checks make this vulnerability a significant risk for organizations running outdated versions of the platform.

For European organizations, particularly educational institutions and universities that rely on Open eClass for course management, this vulnerability poses a serious risk to the confidentiality of user data. Unauthorized access to personal files can lead to privacy violations, exposure of sensitive academic records, and potential compliance issues under GDPR. Although the vulnerability does not affect data integrity or system availability, the breach of confidential information can damage institutional reputation and erode trust among students and staff. The ease of exploitation without authentication increases the likelihood of opportunistic attacks, especially in environments where Open eClass is exposed to the internet. Additionally, the exposure of personal data could be leveraged for further targeted attacks such as phishing or social engineering within the affected organizations.

Organizations should immediately upgrade Open eClass installations to version 4.2 or later, where this vulnerability has been patched. Until the upgrade is applied, administrators should implement strict network access controls to limit exposure of the Open eClass platform to trusted internal networks only. Review and enhance authorization checks to ensure that user identifiers cannot be manipulated to access unauthorized resources. Employ monitoring and logging to detect unusual access patterns indicative of exploitation attempts. Educate users and administrators about the risks of using outdated software and the importance of timely patching. Where possible, implement additional application-layer protections such as web application firewalls (WAFs) configured to detect and block suspicious requests targeting user identifiers. Finally, conduct regular security assessments and penetration tests to verify that no similar authorization bypass issues exist.