Skip to content

Security: Unauthenticated File Upload, Missing Auth on Training Endpoints, Path Traversal #3047

New issue
New issue
Open
Open
Security: Unauthenticated File Upload, Missing Auth on Training Endpoints, Path Traversal#3047
@lighthousekeeper1212

Description

@lighthousekeeper1212
lighthousekeeper1212
opened on Mar 4, 2026

Summary

Security audit identified 10 vulnerabilities (1 CRITICAL, 6 HIGH, 2 MEDIUM, 1 LOW) in the Claroline LMS platform, primarily around missing authentication on several controller endpoints.

Critical Finding: Unauthenticated File Upload (CWE-306)

FileController.php:166POST /file/public/upload accepts file uploads with zero authentication:

#[Route(path: '/public/upload', name: 'claro_public_file_upload', methods: ['POST'])]
public function uploadPublicAction(Request $request): JsonResponse
{
    // No @IsGranted, no authentication check
    $file = $request->files->get('file');
    // ... processes and stores file
}

Any anonymous user can upload files to the server.

High Findings

  1. Missing auth on training session cancel (SessionController.php:130): POST /cursus_session/cancel — any unauthenticated user can cancel training sessions.

  2. Missing auth on user listing endpoints (SessionUserController.php:46, EventUserController.php:44): List all registered users/event registrations without authentication.

  3. Path traversal / SSRF (EventPresenceController.php:310): file[url] query parameter passed to file_get_contents() — enables reading arbitrary files or SSRF.

  4. Missing auth on training list endpoints (EventController.php:96, SessionController.php:71): List training events/sessions without authentication.

Medium Findings

  1. AbstractVoter default allow (AbstractVoter.php:160): Default CRUD behavior allows all operations unless explicitly denied — fail-open pattern.

  2. Missing auth on import sample (ImportController.php:126): Potential path traversal via sample file download.

Pattern

Multiple Cursus (training management) plugin controllers are missing authentication annotations (@IsGranted) while core controllers properly enforce them — a 1-of-N inconsistency between the plugin and core.

Recommended Fixes

  1. Add #[IsGranted('IS_AUTHENTICATED_FULLY')] to uploadPublicAction or restrict to authenticated users
  2. Add authentication checks to all Cursus plugin controllers
  3. Validate file[url] parameter against path traversal and SSRF
  4. Change AbstractVoter default from allow to deny

Found during security research. This report describes vulnerability classes and fixes without providing exploit code.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions