CVE-2025-66581
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | learning | to 2.41.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Frappe Learning Management System (LMS) prior to version 2.41.0 is due to a flaw in the server-side authorization logic. It allowed authenticated users with low-privileged roles, such as students, to perform actions beyond their assigned roles by bypassing client-side or UI-level permission checks and directly using the API. This means users could execute operations intended only for instructors or administrators.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing users with low privileges to perform unauthorized actions within the LMS. This could lead to unauthorized access to sensitive content, modification of course materials, or administrative functions being performed by users who should not have such permissions, potentially compromising the integrity and security of the learning environment.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Frappe Learning Management System to version 2.41.0 or later, as this version contains the fix for the server-side authorization flaw that allowed low-privileged users to perform unauthorized actions.