CVE-2025-56747
BaseFortify
Publication date: 2025-10-14
Last updated on: 2025-10-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| creativeitem | academy_lms | to 5.13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a privilege escalation flaw in Creativeitem Academy LMS up to version 5.13. It occurs in the Api_instructor controller, where regular authenticated users can access instructor-only functions because the system fails to properly check if a user has the instructor role. Although JWT tokens are validated for authentication, the system does not verify the 'is_instructor=1' flag in the user's record, allowing unauthorized users to perform instructor-level actions such as creating and managing courses. [1]
How can this vulnerability impact me? :
The vulnerability allows unauthorized users to create unlimited courses, modify existing course content, access sensitive instructor data and analytics, change instructor passwords and profiles, manipulate course pricing and availability, and bypass the platform's business model. This can lead to financial losses, exposure of sensitive data, compromise of the platform's integrity, damage to reputation, and loss of user trust. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring API requests to the vulnerable endpoints that should be restricted to instructors only. You can look for authenticated users accessing instructor-only API endpoints such as GET /lms/api_instructor/userdata, POST /lms/api_instructor/add_course, or POST /lms/api_instructor/change_password without having the instructor role. Commands to detect this could include capturing and inspecting HTTP requests with tools like curl or using network monitoring tools to identify unauthorized access patterns. For example, using curl to test access with a regular user's JWT token: curl -H "Authorization: Bearer <user_jwt_token>" https://your-lms-domain/lms/api_instructor/add_course If the request succeeds without proper role validation, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include adding role validation checks in the Api_instructor controller to verify both JWT token validity and the 'is_instructor' flag before granting access to instructor-only functions. If the user is not an instructor, the system should respond with HTTP 403 Forbidden and an appropriate error message. Additionally, implement consistent role-based access control using middleware, validate permissions at the database level, handle authorization errors properly, and add audit logging for privilege escalation attempts. [1]