CVE-2018-16970

Name of the Vulnerable Software and Affected Versions Wisetail Learning Ecosystem (LE) versions through 4.11.6

Description The issue allows for insecure direct object reference (IDOR) attacks, enabling the download of non-purchased course files. This is achieved by modifying the id parameter in a specific API request.

Recommendations For versions through 4.11.6, as a temporary workaround, consider restricting access to the id parameter in the affected API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.