The auth parameter in the teacher registration page is vulnerable to reflected XSS. The vulnerability affects the latest version 3.12.1 and probably earlier ones. Additionaly, the PHPSESSID cookie does not have the HttpOnly flag making it possible to perform an account takeover though the XSS. Thankfully, as far I have seen, most installations do not allow teacher registration, thus significaly minimizing the risk this being actually exploited.
The IDOR is a similar issue with CVE-2020-24381 that enables direct reference to static files hosted on the server.
While /courses/COURSE_NAME/work/ dir is now using the index.html hotfix, the /courses/archive/COURSE_NAME/ (if created) still displays the contents of the directory, thus enabling the user to download the course backup archive containing private information.
Manual access to the directory is enough but all course codes are easily scrapable from the website. Creating a wordlist and enumerating directories could reveal course archive folders that have been created in a matter of seconds.
In this case, even if the index.html hotfix is applied, backup archives could be easily found since the filenames are not random as they were in the /courses/COURSE_NAME/work/ folder.
Course backup archives follow an easily guessable pattern (COURSE_CODE-YYYYMMDD.zip) so the same PoC could be applied targeting specific courses that the user might be interested in since data directory is inside the web root and no session validation is made.