Ordogh

**Name of the Vulnerable Software and Affected Versions** OpenFUN Richie (LMS) (affected versions not specified) **Description** The application uses a non-constant time comparison operator for HMAC signature verification within the `sync course run from request` function, located in src/richie/apps/courses/api.py. This allows attackers to potentially forge valid signatures and bypass authentication by observing response time differences. The vulnerable comparison is performed using the `==` operator. The API endpoint involved is not explicitly mentioned, but the issue resides within the course run synchronization functionality. The vulnerable parameter is the HMAC signature used for authentication. **Recommendations** Replace the non-constant time comparison operator with a constant-time comparison function in the `sync course run from request` function.