URGENT: Security bug allows free access to paid courses

[AlphaC137]

There is a critical vulnerability in the repository where all paid courses can be accessed for free by simply setting the "free" attribute to true. This allows unauthorized users to bypass payment and access premium content. Steps to reproduce and a sample exploit script have been publicly shared in Issue #1495.

Impact:

• Unrestricted access to paid content
• Loss of revenue
• Potential legal and trust issues

Suggested actions:

• Immediately audit and restrict any client-side code that allows toggling the "free" attribute
• Move the pricing logic and access control to a secure server-side check
• Patch any endpoints or APIs that trust user-supplied attributes for access control
• Conduct a security review for similar vulnerabilities

Reference:

• GitHub Issue: Paid Cources can be accessed for free with slight Modification  #1495
• Public exploit instructions and discussion

This should be prioritized as a critical hotfix.

[Olwethu-Dlamini]

impressive

[Ryans-ui]

Quite.

[zaved707]

is this a feature ?

[Krish-Saga]

bruhh literally i think jeff is doing this on purpose or something how can he ignore this much ? hm