DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

Our Partners

Frappe LMS 2.40.0 – Public Access to Instructor Comments and Feedback Media

By 0xhamy 03:08 AM - December 14th 2025
Type software
Product Environment web
Product Name Frappe LMS
Product Vendor Frappe
Product Version 2.40.0
Product Link https://github.com/frappe/lms
Vulnerability Name Improper Access Control
Severity Medium
CVSS String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:M/I:N/A:N
CVSS Score 6.5
CVE ID -
Vendor Acknowledgement No
Affected digital Assets
10
Affected Users
50000
Date of Reporting Nov 27, 2025
PoC Exploit https://gist.github.com/0xHamy/74f900b38f5e27409a3754e02c6aa78c
Credit 0xhamy

Description

Frappe LMS version 2.40.0 contains an access control vulnerability where media files uploaded by instructors in assignment feedback comments are publicly accessible to unauthenticated users.

Instructor feedback on student submissions, including attached screenshots or documents, is stored under /files/ and can be accessed without authentication if the filename or URL is known or guessed.

Vulnerability Details

The LMS provides a comment/feedback feature on assignment submissions, where instructors can leave comments and attach media files. These files are:

  • Uploaded by instructors through the assignment submission view.
  • Stored under the publicly accessible /files/ path.
  • Not protected by authentication or authorization checks.

Because this area directly relates to student submissions and instructor evaluation, the exposed content may include:

  • Student assignment content and work.
  • Grading feedback.
  • Screenshots, documents, or other sensitive material.

Steps to Reproduce

  1. Log in as an instructor and create course and assignment.

    • Go to courses: /lms/courses
    • Create a course: COURSE_NAME.
    • Go to assignments: /lms/assignments
    • Create an assignment (e.g. type Text).

  2. Attach the assignment to a course lesson.

    • Edit the course:
      /lms/courses/COURSE_NAME/edit
    • In the right sidebar, click "Add lesson" and open:
      /lms/courses/COURSE_NAME/learn/1-2/edit
    • In the lesson content, insert the assignment you created.

  3. Submit the assignment as a student.

    • Log in as a student.
    • Enroll into COURSE_NAME.
    • Submit any response to the assignment within the course.

  4. Leave instructor feedback with an attachment.

    • Log back in as an instructor.
    • Go to /lms/assignments and click the assignment attached to COURSE_NAME.
    • In the modal, click "Check submissions", opening:
      /lms/assignment-submissions?assignmentID=ASG-00003 (example).
    • Click on a specific submission, leading to:
      /lms/assignment-submission/ASG-00003/ASG-SUB-00006 (example).
    • On the right sidebar, add a comment and upload a media file.

  5. Access the uploaded media without authentication.

    • Note the media URL under /files/, e.g.:
      http://localhost:8000/files/feedback_image.png
    • Log out or use an unauthenticated browser window.
    • Open the /files/feedback_image.png URL directly.
    • The media is accessible without any login or permission checks.

Impact

  • Student privacy breach: Feedback and associated media may expose student performance, work quality, or sensitive context shared with instructors.
  • Information disclosure: Internal evaluation notes, screenshots, or documents can be accessed by anyone who discovers the URL.
  • Regulatory/compliance concerns: In some environments, instructor feedback on students may be considered educational records subject to privacy regulations.

The impact is primarily on confidentiality, but the sensitive context of instructor feedback makes this more severe than generic media exposure.

Recommendation

  • Enforce authentication and authorization checks on all media associated with assignment feedback and comments.
  • Store instructor feedback media in protected storage, checking:
    • Ownership of the submission.
    • Role (instructor vs. student).
    • Course/assignment visibility and enrollment status.
  • Avoid using a globally public /files/ endpoint for sensitive content; instead, serve files through an authenticated view that validates permissions.
  • Optionally, use signed, expiring URLs tied to authorized users.

How we calculate affected digital assets

Methodology

Digital assets affected by a piece of software or hardware can include installations and real-world usage of that product across servers, websites, IoT devices, and other connected systems.

Data sources we use

  • For many web technologies, we use BuiltWith to estimate how many websites currently use a given product. Example: Vvveb usage statistics on BuiltWith .
  • For products that include telemetry or licensing beacons, we may rely on vendor-reported deployment figures to estimate the number of active installations.

Example: a vendor might share that their firewall product is deployed across a certain number of customer networks or appliances (similar to how a vendor such as NetSweeper reports its deployment footprint). We use those deployment counts as a proxy for affected digital assets.

How we estimate affected users

Estimation

The affected users value is an estimate of how many people are likely exposed to the vulnerability through the impacted assets.

Inputs we consider

  • Vendor data: when available, we use user or deployment counts provided by the vendor (for example, via telemetry, analytics, or licensing systems).
  • Asset-based estimate: when vendor data is not available, we use a conservative baseline of 100 users per asset and multiply it by the number of affected assets.

Example calculation

Suppose a vulnerability affects:

  • 20 IoT devices
  • 40 servers
  • 40 websites

Total affected assets: 20 + 40 + 40 = 100
Using our conservative baseline of 100 users per asset:

Estimated affected users: 100 assets × 100 users = 10,000 users

This approach intentionally aims to be conservative; it gives us a consistent way to compare impact across vulnerabilities and understand the approximate number of users we help protect.