Vulnerability Summary: - This is a business logic flaw in the Open eClass platform, allowing authenticated students to improperly mark their attendance even after the activity has expired by accessing a crafted URL. Affected Versions: <= 4.1 Patched Versions: 4.2 Severity: Moderate (4.3/10) CVE ID: CVE-2026-24774 Key Points: - The application fails to enforce proper authorization and validation in the attendance module. - A student can construct a specific URL to mark attendance even if they are absent or the activity has ended. - This can lead to integrity issues in academic data. Proof of Concept: - The PoC involves manipulating a URL. A screenshot and URL example are provided showing how a student can mark attendance despite the activity's expiration. The parameter, a small integer, is used for this action. Discoverer Credit: The vulnerability was discovered and reported by Alexandros Perrakis (Stolichnayer).