Martin Cuddy from Radically Open Security has found a security issue concerning the generation of PDF files during a security audit conducted as a part of our NGI0 Entrust grant. Unauthenticated users were able to access all PDF files generated in the last 24 hours. This was possible by triggering the generation of a PDF file, determining its ID in the GraphQL request, and counting the ID upwards or downwards to access other PDF files.

We consider the severity as high, because it was easy to access PDF files with substitution plans, class register printouts, or other sensible PDF files generated by third-party apps if the right point of time was choosen. Fortunately, PDF files are deleted after 24 hours, so access was limited.

The AlekSIS team has fixed the issue for the upcoming release 4.0.0 of the AlekSIS core, and backported the fix to new versions 3.1.7 and 3.2.2 for the AlekSIS core series. Installations using the documented installation method from the release handbook can be updated by running pip3 install -U aleksis-core==3.1.7 or pip3 install -U aleksis-core==3.2.2 in the virtual environment.