THREAT OPS › Threat News › Skillable SCORM launch: userId parameter not validated against session token allows allocation bypass and cross-user DoS
Skillable SCORM launch: userId parameter not validated against session token allows allocation bypass and cross-user DoS
<p>Posted by gregdurys . security on Jul 12</p>Skillable (formerly Learn on Demand Systems) is a hosted lab-<br /> provisioning service integrated into learning management systems over<br /> SCORM. The SCORM lab launch endpoint at scorm.skillable.com validates<br /> a SCORM launch token sufficiently to authorise the launch, but enforces its per-user<br /> launch limit against a userId query parame
Indicators of compromise
- scorm.skillable.comdomain
Original source: https://seclists.org/oss-sec/2026/q3/120