CVE-2024-38530

Name of the Vulnerable Software and Affected Versions Open eClass versions prior to 3.16

Description The Open eClass platform, a complete Course Management System, contains an arbitrary file upload vulnerability in the "save" functionality of the H5P module. This vulnerability enables unauthenticated users to upload arbitrary files on the server's filesystem, potentially leading to unrestricted remote code execution (RCE) on the backend server, as the upload location is accessible from the internet.

Recommendations For versions prior to 3.16, update to version 3.16 to fix the arbitrary file upload vulnerability in the H5P module. As a temporary workaround, consider restricting access to the H5P module's "save" functionality to prevent unauthenticated file uploads until the update is applied.