CVE-2025-11280
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11280
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe learning 2.35.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-425 The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11280 is an improper access control vulnerability in Frappe LMS version 2.35.0 affecting the Assignment Picture Handler component. Files uploaded by students or instructors, such as private assignment submissions, are stored in a publicly accessible /files/ directory without proper authentication or authorization checks. This allows anyone who knows or can guess the direct URL of these files to access them without logging in, exposing sensitive data. [1, 2, 3]

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive student submission data and other private files intended only for students and instructors. Because the files are accessible without authentication, attackers can retrieve confidential information, potentially violating privacy and confidentiality. The predictability of file paths also makes it easier for attackers to enumerate and access multiple files. [2, 3]

Detection Guidance

This vulnerability can be detected by attempting to access files in the /files/ directory of the Frappe LMS 2.35.0 installation without authentication. For example, you can try accessing URLs like http://<target>:<port>/files/<filename> from an unauthenticated session or incognito browser to see if files are accessible. To enumerate files, you might use tools like curl or wget to request known or guessed filenames. Example commands include: curl -I http://<target>:<port>/files/<filename> or wget --spider http://<target>:<port>/files/<filename>. If files are accessible without authentication, the vulnerability is present. [2, 3]

Mitigation Strategies

Immediate mitigation steps include enforcing strict authentication and authorization checks on all file requests under the /files/ directory to ensure only authorized users (such as the file owner and course instructors) can access the files. Additionally, uploaded files should be moved outside of web-accessible directories and served only after verifying user permissions. Upgrading to a fixed version of Frappe LMS that addresses this issue is strongly recommended. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11280. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart