CVE-2026-2997
📋 TL;DR
Tronclass by WisdomGarden has an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers to join any course by manipulating a course ID parameter to obtain invitation codes. This affects all Tronclass users with authenticated access. Attackers can bypass intended course enrollment controls.
💻 Affected Systems
- Tronclass Learning Management System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious actors join sensitive courses (e.g., HR training, executive sessions) to access confidential materials, potentially leading to data leaks or unauthorized information gathering.
Likely Case
Students or staff join courses they shouldn't access, violating academic integrity or accessing materials without proper authorization.
If Mitigated
With proper access controls and parameter validation, impact is limited to minor policy violations.
🎯 Exploit Status
Simple parameter manipulation after authentication; no special tools required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific version
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-10721-276b6-2.html
Restart Required: Yes
Instructions:
1. Contact WisdomGarden for patched version. 2. Apply update following vendor instructions. 3. Restart Tronclass services. 4. Verify fix by testing parameter manipulation.
🔧 Temporary Workarounds
Access Control Enhancement
allImplement server-side authorization checks for all course ID parameters
Parameter Validation
allAdd validation to ensure users can only access courses they're authorized for
🧯 If You Can't Patch
- Implement WAF rules to detect and block suspicious course ID parameter manipulation
- Enable detailed logging of all course access attempts and monitor for unauthorized joins
🔍 How to Verify
Check if Vulnerable:
Authenticate to Tronclass, attempt to modify course ID parameter in invitation code request to access unauthorized course.Check Version:
Check Tronclass admin panel or contact vendor for version informationVerify Fix Applied:
After patching, repeat exploitation attempt; successful access control should prevent unauthorized course joining.📡 Detection & Monitoring
Log Indicators:
- Multiple failed course access attempts
- Successful course joins from unexpected users
- Course ID parameter manipulation in logs
Network Indicators:
- Unusual patterns of course invitation code requests
- Requests with manipulated course ID parameters
SIEM Query:
source="tronclass" AND (event="course_join" OR event="invitation_request") AND user NOT IN authorized_users