CVE-2025-11281
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. You should upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11281
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe learning 2.35.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11281 is an improper access control vulnerability in Frappe LMS version 2.35.0 affecting the Unpublished Course Handler component at the /courses/ endpoint. It allows unauthorized users to access unpublished courses that should normally be hidden. Unauthenticated users can view course metadata by directly accessing the course URL, while authenticated users with the LMS Student role can view full course content and submit assignments even if the course is unpublished. This happens because access controls are only enforced at the UI level and not at the backend controller level, allowing bypass via direct URL access. [1, 2, 3]

Impact Analysis

This vulnerability compromises confidentiality by exposing unpublished courses, which may contain draft or incomplete materials, to unauthorized users. It also affects integrity and availability since students can interact with courses that are not yet published, potentially disrupting course management and content integrity. Unauthorized access can lead to exposure of sensitive course content and unintended student submissions. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by attempting to access unpublished courses directly via their URLs without proper authorization. For example, try accessing a course URL like http://<your-lms-domain>/lms/courses/<CourseName> while logged out or using an incognito browser session. If the unpublished course content or metadata is accessible, the vulnerability exists. Commands to test this could include using curl or wget to fetch course pages without authentication, e.g., curl -I http://<your-lms-domain>/lms/courses/<CourseName> to check HTTP response headers or curl http://<your-lms-domain>/lms/courses/<CourseName> to view content. Additionally, testing with authenticated LMS Student role accounts to see if unpublished course content and assignment submission are accessible can confirm the issue. [2, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade the affected Frappe LMS component to a version where this vulnerability is fixed. Meanwhile, implement strict backend access controls that enforce permission checks at the controller level to ensure unpublished courses and their metadata are inaccessible unless the "Published" flag is set. Avoid relying solely on UI-level restrictions. Restrict direct URL access to unpublished courses and verify that only published courses are accessible to unauthorized or student users. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart