PT-2026-5729 · Google+2 · Google+2
Jvr2022
·
Published
2026-02-02
·
Updated
2026-03-02
·
CVE-2026-25221
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
PolarLearn versions 0-PRERELEASE-15 and earlier
Description
The OAuth 2.0 implementation for GitHub and Google login providers is susceptible to Login Cross-Site Request Forgery (CSRF). The application does not implement and verify the state parameter during the authentication process. This allows an attacker to pre-authenticate a session and deceive a victim into logging into the attacker’s account. As a result, any data entered or academic progress made by the victim is stored on the attacker’s account, potentially leading to data loss for the victim and information disclosure to the attacker.
Recommendations
Versions prior to 0-PRERELEASE-15 should be updated.
Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github
Google
Polarlearn