CVE-2020-37115: Gunet Open Eclass Information Disclosure

CVE-2020-37115 Overview

CVE-2020-37115 affects GUnet OpenEclass 1.7.3, an open-source e-learning platform used by academic institutions. The application stores user credentials in plaintext within its database. Administrators with access to the user management interface can view every registered user's username and password without any cryptographic protection. This weakness maps to [CWE-256] (Plaintext Storage of a Password) and exposes credentials to insider threats and database compromise scenarios. Because users frequently reuse passwords across services, exposure of plaintext credentials creates downstream risk for unrelated systems.

Critical Impact
All user passwords on affected OpenEclass 1.7.3 deployments are recoverable in plaintext by any administrator or attacker with database read access.

Affected Products

GUnet OpenEclass Platform 1.7.3
Any deployment of OpenEclass relying on the affected credential storage routine
Downstream services where users reused OpenEclass credentials

Discovery Timeline

2026-02-03 - CVE-2020-37115 published to NVD
2026-02-10 - Last updated in NVD database

Technical Details for CVE-2020-37115

Vulnerability Analysis

The vulnerability stems from OpenEclass 1.7.3 storing user passwords as plaintext strings in the backing database. Authentication routines compare submitted passwords directly against the stored value rather than against a salted cryptographic hash. The administrator user management views render the stored values without masking, allowing a privileged user to enumerate credentials for every account. The flaw is classified under [CWE-256] and is exploitable over the network by an authenticated low-privilege account that subsequently leverages the exposed credentials.

Root Cause

The root cause is the absence of a one-way password hashing function during user registration and password change operations. Modern authentication systems hash passwords using algorithms such as bcrypt, argon2, or PBKDF2 with a per-user salt. OpenEclass 1.7.3 omits this transformation entirely, persisting the user-supplied secret as-is. Any party with read access to the user table or to administrative reporting screens obtains the cleartext password.

Attack Vector

Exploitation requires access to the OpenEclass database or to an administrator session. An attacker who compromises a single administrative account, exploits a separate SQL injection flaw, or obtains a database backup can extract all credentials. Because no hashing is performed, no offline cracking is necessary. The attacker can immediately authenticate as any user on OpenEclass and attempt credential stuffing against other services where users may reuse passwords.

No verified public exploit code is required to demonstrate the issue. The vulnerability is observable by inspecting the user table in the database or the administrator user listing in the web interface. See the VulnCheck Advisory on OpenEClass and Exploit-DB #48163 for additional technical context.

Detection Methods for CVE-2020-37115

Indicators of Compromise

Database queries against the OpenEclass user table originating from non-application accounts or unusual hosts.
Administrator account logins from new geolocations or outside normal business hours followed by bulk page views of the user management interface.
Successful logins to unrelated corporate services using credentials matching OpenEclass accounts, suggesting credential reuse exploitation.

Detection Strategies

Inspect the OpenEclass user table schema and contents to confirm whether passwords are stored as plaintext rather than as hashes prefixed with identifiers such as $2y$ or $argon2.
Enable web server access logging for administrator-only paths and alert on bulk access to user listing endpoints.
Correlate authentication failures across enterprise applications to identify credential stuffing campaigns sourced from OpenEclass credential leaks.

Monitoring Recommendations

Forward OpenEclass application logs and database audit logs to a centralized analytics platform for retention and query.
Monitor for unauthorized exports of the user table and for outbound transfers of database dump files.
Track administrator account activity for anomalous session duration, source IP changes, and access to credential-bearing screens.

How to Mitigate CVE-2020-37115

Immediate Actions Required

Upgrade OpenEclass to a supported release that hashes passwords using a modern algorithm with per-user salts.
Force a password reset for every OpenEclass user account, invalidating credentials that were previously stored in plaintext.
Restrict administrative access to the OpenEclass console using network ACLs, multi-factor authentication, and the principle of least privilege.
Audit historical database backups and remove or encrypt copies that contain plaintext credentials.

Patch Information

Review the OpenEClass Changes Log and the OpenEClass Official Site for current supported versions. Version 1.7.3 is affected; deployments must move to a release that implements salted password hashing. Verify post-upgrade that stored credentials are no longer recoverable as cleartext.

Workarounds

Where upgrading is not immediately possible, restrict database access to the application service account only and remove direct administrator query access.
Place the OpenEclass administrative interface behind a VPN or zero-trust proxy to limit exposure of credential-bearing screens.
Notify users to avoid reusing their OpenEclass password on other systems until the platform is patched.

bash

# Example: verify whether stored passwords appear to be hashed
# Replace credentials and table/column names to match your deployment.
mysql -u dba -p openeclass -e \
  "SELECT username, LEFT(password, 4) AS prefix, LENGTH(password) AS len \
   FROM user LIMIT 20;"

# Hashed values typically begin with $2y$, $2a$, $argon2, or are 60+ chars.
# Short, human-readable values indicate plaintext storage.