CVE-2020-24381 – This vulnerability in GUnet Open eClass Platfor... (How to Fix)

Q: What is the severity of CVE-2020-24381?

CVE-2020-24381 has a CVSS score of 7.5 (HIGH). This vulnerability in GUnet Open eClass Platform allows remote attackers to access students' submitted assessments due to improper directory listing restrictions. The web server fails to block directory listings, exposing sensitive data directories within the web root. All installations using versions before 3.11 with default configurations are affected.

📋 TL;DR

This vulnerability in GUnet Open eClass Platform allows remote attackers to access students' submitted assessments due to improper directory listing restrictions. The web server fails to block directory listings, exposing sensitive data directories within the web root. All installations using versions before 3.11 with default configurations are affected.

💻 Affected Systems

Products:

GUnet Open eClass Platform (openeclass)

Versions: All versions before 3.11

Operating Systems: All platforms running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists because the data directory is inside the web root by default, and directory listings are not properly restricted.

📦 What is this software?

Open Eclass Platform by Gunet

View all CVEs affecting Open Eclass Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could download all student submissions, potentially exposing sensitive academic work, personal information, and assessment data, leading to academic integrity breaches and privacy violations.

🟠

Likely Case

Unauthorized access to student submissions and assessment files, potentially enabling cheating, data theft, or manipulation of academic records.

🟢

If Mitigated

With proper directory listing restrictions and access controls, the exposure would be limited to authorized users only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web browser access to directory listings; no authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.11 and later

Vendor Advisory: https://github.com/gunet/openeclass/issues/39

Restart Required: No

Instructions:

1. Upgrade to Open eClass version 3.11 or later. 2. Verify the data directory is properly secured. 3. Test that directory listings are blocked.

🔧 Temporary Workarounds

Disable Directory Listings

all

Configure web server to block directory listings for sensitive directories

For Apache: add 'Options -Indexes' to .htaccess or virtual host config
For Nginx: add 'autoindex off;' to server block

Move Data Directory

all

Relocate data directory outside web root

Move data directory to non-web-accessible location
Update application configuration to point to new location

🧯 If You Can't Patch

Implement strict web server configuration to disable directory listings
Move sensitive data directories outside the web root and update application paths

🔍 How to Verify

Check if Vulnerable:

Access the data directory URL (e.g., http://[host]/openeclass/data/) and check if directory listing is enabled and shows files

Check Version:

Check version in admin panel or read application version files

Verify Fix Applied:

Attempt to access data directory URL and verify '403 Forbidden' or similar error appears instead of directory listing

📡 Detection & Monitoring

Log Indicators:

Multiple 200 OK responses to data directory paths
Unusual access patterns to /data/ directory

Network Indicators:

HTTP requests to /data/ paths from unauthorized IPs
Directory traversal attempts

SIEM Query:

web_access_logs status=200 AND uri_path CONTAINS '/data/'

📊 Metadata

CVE ID: CVE-2020-24381

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: August 19, 2020

Last Updated: November 21, 2024

🔗 References

https://emaragkos.gr/cve-2020-24381/ Third Party Advisory
https://github.com/gunet/openeclass/issues/39 Exploit,Issue Tracking,Patch,Third Party Advisory
https://emaragkos.gr/cve-2020-24381/ Third Party Advisory
https://github.com/gunet/openeclass/issues/39 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24381, you might also want to check these: