CVE-2020-37114 in GUnet OpenEclass
Summary
by MITRE • 02/03/2026
GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students' uploaded assessments, due to improper access controls and information disclosure flaws in various modules. Attackers can retrieve system info, version info, and view or download other users' files without proper authorization.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/11/2026
The vulnerability identified as CVE-2020-37114 affects GUnet OpenEclass version 1.7.3, a widely used open source learning management system deployed in educational institutions worldwide. This critical information disclosure flaw stems from inadequate access control mechanisms that permit both unauthenticated and authenticated users to gain unauthorized access to sensitive system data and user content. The vulnerability manifests across multiple modules within the application, creating a comprehensive attack surface that undermines the fundamental security assumptions of the platform. Security researchers have identified that the system fails to properly validate user permissions when processing requests for system information, application version details, and student assessment materials, effectively allowing malicious actors to bypass intended authorization controls.
The technical implementation of this vulnerability demonstrates a classic case of improper access control as classified under CWE-285, where the application does not adequately enforce authorization checks before granting access to protected resources. The flaw specifically affects the system's ability to distinguish between legitimate user sessions and unauthorized access attempts, enabling attackers to exploit weaknesses in the authentication and authorization frameworks. When users make requests to various endpoints within the OpenEclass platform, the system fails to properly verify whether the requesting entity has appropriate privileges to access the requested information or files. This lack of proper access validation creates a pathway for attackers to retrieve system configuration details, application version identifiers, and most critically, access other students' uploaded assessments and coursework without requiring valid credentials or proper authorization. The vulnerability is particularly concerning because it affects both anonymous users who can access the system without authentication and legitimate users who may have been compromised or whose credentials have been obtained through other means.
The operational impact of CVE-2020-37114 extends far beyond simple data exposure, creating significant risks for educational institutions and their students. The disclosure of system information and application version details provides attackers with valuable reconnaissance data that can be used to identify potential additional vulnerabilities or weaknesses in the platform's infrastructure. More critically, the ability to access other students' uploaded assessments creates serious privacy and academic integrity concerns, potentially enabling grade manipulation, academic dishonesty, or unauthorized access to sensitive personal information. The vulnerability affects the core confidentiality and integrity principles of the system, as it allows unauthorized data access that could compromise the educational process and student privacy. Institutions using this version of OpenEclass face potential regulatory compliance issues, especially in environments governed by data protection regulations such as GDPR or FERPA, where unauthorized access to student information could result in significant legal and financial consequences.
Mitigation strategies for this vulnerability require immediate attention from system administrators and security teams. The primary remediation involves implementing proper access control checks throughout all application modules, ensuring that every request for system information or user data is properly authenticated and authorized. This includes strengthening the authentication framework to properly validate user sessions and implementing comprehensive authorization controls that enforce the principle of least privilege. Organizations should also consider implementing additional security measures such as input validation, output encoding, and proper error handling to prevent information leakage through error messages. The vulnerability aligns with ATT&CK technique T1213.002 for data from information repositories, as attackers can systematically extract sensitive information from the application's data stores. Regular security audits and penetration testing should be conducted to identify similar access control flaws, while implementing web application firewalls and monitoring systems can help detect and prevent exploitation attempts. The affected version of OpenEclass should be upgraded to a patched release that addresses these access control weaknesses, as the vendor has likely released security updates to resolve these issues. System administrators must also conduct thorough security assessments of their deployed environments to ensure that no other similar vulnerabilities exist within the broader application ecosystem.