THREATOPS
THREAT OPSThreat News › Skillable SCORM launch: userId parameter not validated against session token allows allocation bypass and cross-user DoS

Skillable SCORM launch: userId parameter not validated against session token allows allocation bypass and cross-user DoS

medoss_secPublished 2026-07-12

<p>Posted by gregdurys . security on Jul 12</p>Skillable (formerly Learn on Demand Systems) is a hosted lab-<br /> provisioning service integrated into learning management systems over<br /> SCORM. The SCORM lab launch endpoint at scorm.skillable.com validates<br /> a SCORM launch token sufficiently to authorise the launch, but enforces its per-user<br /> launch limit against a userId query parame

Indicators of compromise

Original source: https://seclists.org/oss-sec/2026/q3/120