DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

Our Partners

Frappe LMS 2.40.0 – Public Access to Instructor Media in Course Details and Quizzes

By 0xhamy 03:12 AM - December 14th 2025
Type software
Product Environment web
Product Name Frappe LMS
Product Vendor Frappe
Product Version 2.40.0
Product Link https://github.com/frappe/lms
Vulnerability Name Improper Access Control
Severity High
CVSS String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score 7.5
CVE ID -
Vendor Acknowledgement No
Affected digital Assets
10
Affected Users
50000
Date of Reporting Nov 27, 2025
PoC Exploit https://gist.github.com/0xHamy/83abdce4a472b80ecae8c436929aeecf
Credit 0xhamy

Description

Frappe LMS version 2.40.0 is affected by an access control vulnerability where media uploaded by instructors to course details and quizzes is publicly accessible to unauthenticated users.

This includes:

  • Media uploaded to unpublished course details (e.g. course description).
  • Media uploaded to quizzes used within courses.

All such media is stored under /files/ and is accessible without authentication if the filename or URL is known or guessed.

Vulnerability Details

Two related behaviors share the same root cause: instructor-uploaded media for course and quiz content is served from a publicly accessible file endpoint without any authorization checks.

  1. Course details (including unpublished courses)

    • When an instructor creates or edits a course via /lms/courses/new/edit or /lms/courses/COURSE_NAME/edit, media uploaded to fields like Course description is stored under /files/.
    • Even if the course is never published, the media remains accessible via direct URL.

  2. Quiz media

    • Media attached to quiz questions or quiz content is similarly uploaded under /files/.
    • These files are accessible without authentication.

Since quiz content may include exam questions, diagrams, or answer hints, and course detail media may be intended for limited audiences, this leads to a significant information disclosure issue.

Steps to Reproduce

A. Course Details Media (Unpublished Course)

  1. Log in as an instructor.

    • Navigate to /lms/courses.

  2. Create a new course and upload media to course details.

    • Open: /lms/courses/new/edit
    • Fill in the required fields.
    • In the Course description (or a similar rich-text field), upload an image or media file.
    • Note that the file is stored under a URL such as:
      /files/FILENAME.ext

  3. Ensure the course is unpublished.

    • Leave the “Published” option unchecked.

  4. Access the media without authentication.

    • Log out (or open an unauthenticated browser session).
    • Open:
      http://localhost:8000/files/FILENAME.ext
    • The media is accessible despite the course being unpublished and no active session.

B. Quiz Media

  1. Log in as an instructor and create a quiz.

    • Navigate to /lms/quizzes and click the "Create" button in the top-right corner.

  2. Add a quiz question with media.

    • In the new window that opens (e.g. /lms/quizzes/Test), click "New Question" to create a question for the quiz.
    • In the Question text area, upload one or more media files.
    • These files are uploaded to /files/, making them globally accessible by URL.
    • Click "Save" to store the question.

  3. Access quiz media without authentication.

    • Log out or use an unauthenticated session.
    • Navigate directly to:
      http://localhost:8000/files/FILENAME.ext
    • The media is publicly accessible without any authentication or authorization.

Impact

  • Exposure of quiz/exam content: Images or media embedded in quizzes may include question statements, diagrams, or other sensitive assessment material that can be accessed in advance by unauthorized users.
  • Leakage of unpublished course information: Unpublished course branding, diagrams, or internal assets become accessible even before the course is officially released.
  • Business and academic integrity risk: Pre-exposure of exam content undermines fairness, may compromise course integrity, and can have reputational and compliance impacts.

Because quizzes often contain assessment content and may be reused, the worst-case confidentiality impact is high.

Recommendation

  • Enforce authentication and authorization checks for all media served under /files/, especially:
    • Course details media.
    • Quiz-related media.
  • Restrict file access based on:
    • Course publication status.
    • User role (student/instructor/admin).
    • Enrollment status for the corresponding course.
  • Serve files via a permission-aware endpoint instead of direct static URLs.
  • Consider using:
    • Per-course scoped storage for media.
    • Signed, expiring URLs that validate the user’s permissions at request time.

How we calculate affected digital assets

Methodology

Digital assets affected by a piece of software or hardware can include installations and real-world usage of that product across servers, websites, IoT devices, and other connected systems.

Data sources we use

  • For many web technologies, we use BuiltWith to estimate how many websites currently use a given product. Example: Vvveb usage statistics on BuiltWith .
  • For products that include telemetry or licensing beacons, we may rely on vendor-reported deployment figures to estimate the number of active installations.

Example: a vendor might share that their firewall product is deployed across a certain number of customer networks or appliances (similar to how a vendor such as NetSweeper reports its deployment footprint). We use those deployment counts as a proxy for affected digital assets.

How we estimate affected users

Estimation

The affected users value is an estimate of how many people are likely exposed to the vulnerability through the impacted assets.

Inputs we consider

  • Vendor data: when available, we use user or deployment counts provided by the vendor (for example, via telemetry, analytics, or licensing systems).
  • Asset-based estimate: when vendor data is not available, we use a conservative baseline of 100 users per asset and multiply it by the number of affected assets.

Example calculation

Suppose a vulnerability affects:

  • 20 IoT devices
  • 40 servers
  • 40 websites

Total affected assets: 20 + 40 + 40 = 100
Using our conservative baseline of 100 users per asset:

Estimated affected users: 100 assets × 100 users = 10,000 users

This approach intentionally aims to be conservative; it gives us a consistent way to compare impact across vulnerabilities and understand the approximate number of users we help protect.