DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

Our Partners

Frappe LMS 2.40.0 – Public Access to Instructor Assignment Media

By 0xhamy 03:04 AM - December 14th 2025
Type software
Product Environment web
Product Name Frappe LMS
Product Vendor Frappe
Product Version 2.40.0
Product Link https://github.com/frappe/lms
Vulnerability Name Improper Access Control
Severity Medium
CVSS String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score 5.3
CVE ID -
Vendor Acknowledgement No
Affected digital Assets
10
Affected Users
50000
Date of Reporting Nov 27, 2025
PoC Exploit https://gist.github.com/0xHamy/4dc7d48e81475f996dba0d194ca07a0d
Credit 0xhamy

Description

Frappe LMS version 2.40.0 contains an access control vulnerability where media files uploaded by instructors to assignments are publicly accessible to unauthenticated users.

While media uploaded by students to assignments is stored as private, instructor-uploaded media is stored under the /files/ path and can be accessed by anyone who knows or guesses the file URL.

Vulnerability Details

The application applies inconsistent access control to assignment media uploads:

  • Student uploads are treated as private.
  • Instructor uploads within assignment questions are stored under /files/ and are accessible without authentication.

This allows an unauthenticated attacker to retrieve potentially sensitive teaching material or internal resources by directly requesting the file path or fuzzing filename patterns.

Steps to Reproduce

  1. Log in as an instructor.

    • Navigate to the assignments page:
      http://localhost:8000/lms/assignments

  2. Create a new assignment.

    • Click the "Create" button in the top-right corner.
    • In the assignment creation modal, locate the question text area.

  3. Upload media in the question field.

    • Use the media upload/browse functionality in the question editor.
    • Upload an image or other media file.
    • Observe that the file is stored under a URL like:
      http://localhost:8000/files/faj.png

  4. Access the file without authentication.

    • Log out of the application (or use a private browser window).
    • Directly open the file URL, for example:
      http://localhost:8000/files/faj.png
    • The media is still accessible, despite no active session.

Impact

  • Information disclosure: Internal teaching materials, assignment content, hints, or embedded resources uploaded by instructors can be accessed by unauthenticated users.
  • Loss of confidentiality: Assignment wording or example material meant only for enrolled students or specific cohorts becomes globally accessible.
  • Reconnaissance: An attacker can fuzz or brute-force /files/ to enumerate other private resources uploaded by instructors.

While the impact is primarily on confidentiality, the risk is increased by the lack of authentication for the /files/ endpoint and the predictability of filenames.

Recommendation

  • Enforce authentication and authorization checks on all media endpoints under /files/.
  • Store assignment-related media in a protected storage layer where access is checked against:
    • Course enrollment
    • Assignment visibility
    • User role (student/instructor/admin)
  • Avoid relying on predictable or user-controlled filenames for access control.
  • Consider using signed, time-limited URLs for file access, tied to the current user session and permissions.

How we calculate affected digital assets

Methodology

Digital assets affected by a piece of software or hardware can include installations and real-world usage of that product across servers, websites, IoT devices, and other connected systems.

Data sources we use

  • For many web technologies, we use BuiltWith to estimate how many websites currently use a given product. Example: Vvveb usage statistics on BuiltWith .
  • For products that include telemetry or licensing beacons, we may rely on vendor-reported deployment figures to estimate the number of active installations.

Example: a vendor might share that their firewall product is deployed across a certain number of customer networks or appliances (similar to how a vendor such as NetSweeper reports its deployment footprint). We use those deployment counts as a proxy for affected digital assets.

How we estimate affected users

Estimation

The affected users value is an estimate of how many people are likely exposed to the vulnerability through the impacted assets.

Inputs we consider

  • Vendor data: when available, we use user or deployment counts provided by the vendor (for example, via telemetry, analytics, or licensing systems).
  • Asset-based estimate: when vendor data is not available, we use a conservative baseline of 100 users per asset and multiply it by the number of affected assets.

Example calculation

Suppose a vulnerability affects:

  • 20 IoT devices
  • 40 servers
  • 40 websites

Total affected assets: 20 + 40 + 40 = 100
Using our conservative baseline of 100 users per asset:

Estimated affected users: 100 assets × 100 users = 10,000 users

This approach intentionally aims to be conservative; it gives us a consistent way to compare impact across vulnerabilities and understand the approximate number of users we help protect.