CVE-2025-11281
BaseFortify
Publication date: 2025-10-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | learning | 2.35.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11281 is an improper access control vulnerability in Frappe LMS version 2.35.0 affecting the Unpublished Course Handler component at the /courses/ endpoint. It allows unauthorized users to access unpublished courses that should normally be hidden. Unauthenticated users can view course metadata by directly accessing the course URL, while authenticated users with the LMS Student role can view full course content and submit assignments even if the course is unpublished. This happens because access controls are only enforced at the UI level and not at the backend controller level, allowing bypass via direct URL access. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability compromises confidentiality by exposing unpublished courses, which may contain draft or incomplete materials, to unauthorized users. It also affects integrity and availability since students can interact with courses that are not yet published, potentially disrupting course management and content integrity. Unauthorized access can lead to exposure of sensitive course content and unintended student submissions. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access unpublished courses directly via their URLs without proper authorization. For example, try accessing a course URL like http://<your-lms-domain>/lms/courses/<CourseName> while logged out or using an incognito browser session. If the unpublished course content or metadata is accessible, the vulnerability exists. Commands to test this could include using curl or wget to fetch course pages without authentication, e.g., curl -I http://<your-lms-domain>/lms/courses/<CourseName> to check HTTP response headers or curl http://<your-lms-domain>/lms/courses/<CourseName> to view content. Additionally, testing with authenticated LMS Student role accounts to see if unpublished course content and assignment submission are accessible can confirm the issue. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the affected Frappe LMS component to a version where this vulnerability is fixed. Meanwhile, implement strict backend access controls that enforce permission checks at the controller level to ensure unpublished courses and their metadata are inaccessible unless the "Published" flag is set. Avoid relying solely on UI-level restrictions. Restrict direct URL access to unpublished courses and verify that only published courses are accessible to unauthorized or student users. [1, 2, 3]