CVE-2025-64705
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-11-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | learning | From 2.0.0 (inc) to 2.41.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Frappe Learning versions from 2.0.0 up to but not including 2.41.0 allowed users to access submissions made by other students. It was caused by improper role enforcement and lack of redirection when accessing submissions via direct URL. The issue was fixed in version 2.41.0 by ensuring proper roles and redirecting unauthorized access attempts.
How can this vulnerability impact me? :
This vulnerability could lead to unauthorized access to other students' submissions, potentially exposing private or sensitive academic information. This could compromise user privacy and trust in the learning system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Frappe Learning to version 2.41.0 or later, as this version fixes the issue by ensuring proper roles and redirecting if submissions are accessed via direct URL.