漏洞概述 漏洞名称: Skillable SCORM Launch: userId parameter not validated against session token allows allocation bypass and cross-user DoS CVE编号: CVE-2026-56877 CVSS评分: 3.1 Base Score: 6.5 (Medium) 向量: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 影响范围 受影响项目: Skillable (formerly Learn on Demand Systems) 服务: Hosted SCORM lab provisioning (scorm.skillable.com) 受影响端点: GET /score/launch (userid query parameter) 相关利用向量: authenticated learner enumeration exposed by the LMS 受影响版本: Hosted service; no version identifiers or commit hashes apply. Confirmed affected during testing on 2026-06-28 and subsequently acknowledged by the vendor. 修复方案 修复状态: none public as of publication (the vendor states no fix is planned for the SCORM launch path). 建议修复措施: - Bind the launch to a server-validated learner identity, for example through a user-scoped signing token or server-to-server integration. - Do not enforce per-user limits using an unverified browser-supplied userId. Where such binding cannot be added to the legacy SCORM path, migrate to the API or LTI 1.3 integration. - The vendor’s recommended remediation for affected customers is migration to an API or LTI 1.3 launch integration, which carries the identity binding the SCORM launch path lacks. 其他信息 披露时间线: - 2026-06-28: Per-user rate-limit error observed; userId modification via a proxy match-and-replace rule returned a new LabInstanceId. - 2026-06-29: Concurrent lab instances confirmed against a single account. - 2026-06-03: Cross-user denial of service confirmed with a consenting fellow student. - 2026-05-08: Findings documented; Skillable support ticket #4043837 raised; disclosure channel provided. - 2026-05-11: Report submitted to Disclosures@...llable.com (encrypted archive). - 2026-05-13: Skillable acknowledged receipt (Nat Share, Manager, Product Security). - 2026-05-19: CVE request submitted to MITRE (Skillable is not a CNA). - 2026-05-20: Status request to Skillable - no response. - 2026-06-08: Second follow-up, restarting the 60-day disclosure window (closing 2026-07-12). - 2026-06-10: Skillable responded that the issue is “an inherent flaw in the SCORM technology” and asked that it not be disclosed without written permission. - 2026-06-10: Pushback sent; open-ended embargo declined; 2026-07-12 date held. - 2026-06-23: MITRE assigned CVE-2026-56877; coordinated disclosure remained under embargo until 2026-07-12. - 2026-06-26: Skillable sent at least one affected customer an advisory (“SCORM-based lab launches and recommended migration”); no CVE, no CVSS), stating no server-side fix for the SCORM path and recommending migration. - 2026-06-26: Coordination update sent to Skillable noting the assignment and the embargo date. - 2026-07-12: Advisory published. 当前状态: - Vendor fix: none planned for the SCORM launch path. - Vendor remediation: migrate to an API or LTI 1.3 launch integration. - Customer advisory: sent to at least one affected customer on 2026-06-26 (private notification, no CVE, no CVSS). - CVE: CVE-2026-56877, assigned by the MITRE CNA of Last Resort. 参考文献: - [1] Advisory writeup: https://gpg.codeberg.io/beyond-crto-skillable/ - [2] GitHub advisory: https://github.com/forqurys/security-advisories/tree/main/skillable - [3] CVE-2026-56877: https://www.cve.org/CVERecord?id=CVE-2026-56877 - [4] CWE-639: Authorization Bypass Through User-Controlled Key: https://cwe.mitre.org/data/definitions/639.html 信用: - Discovered by Greg Dury - https://github.com/GregDury --- 总结 该漏洞涉及Skillable的SCORM启动路径中的 参数未与会话令牌进行验证,导致分配绕过和跨用户拒绝服务(DoS)。尽管供应商认为这是SCORM技术的固有缺陷,并计划不修复此路径,但建议迁移到API或LTI 1.3启动集成以增强安全性。