CVE-2025-62158
BaseFortify
Publication date: 2025-10-10
Last updated on: 2025-10-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | learning | 2.37.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Frappe Learning versions prior to 2.38.0 caused student-uploaded assignment attachments to be stored as public files. As a result, anyone with the file URL could access these files without needing to authenticate, potentially exposing sensitive student data. The issue was fixed in version 2.38.0 by making all student-uploaded assignment attachments private by default.
How can this vulnerability impact me? :
The vulnerability could lead to unauthorized access to student-uploaded files, potentially exposing sensitive or private information to the public. This could result in privacy breaches and loss of trust in the learning system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could negatively impact compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized public access to potentially sensitive student data, violating requirements for data confidentiality and access controls.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Frappe Learning to version 2.38.0 or later, as this version fixes the issue by storing all student-uploaded assignment attachments as private files by default.