DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

Our Partners

Frappe LMS 2.40.0 – Public Access to Student Community Question Media

By 0xhamy 03:10 AM - December 14th 2025
Type software
Product Environment web
Product Name Frappe LMS
Product Vendor Frappe
Product Version 2.40.0
Product Link https://github.com/frappe/lms
Vulnerability Name Improper Access Control
Severity Medium
CVSS String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:M/I:N/A:N
CVSS Score 6.5
CVE ID -
Vendor Acknowledgement No
Affected digital Assets
10
Affected Users
50000
Date of Reporting Nov 27, 2025
PoC Exploit https://gist.github.com/0xHamy/79fa55aed109942b033bf334b4405d3b
Credit 0xhamy

Description

Frappe LMS version 2.40.0 contains an access control vulnerability where media attached to community questions created by students is publicly accessible to unauthenticated users.

Under each assignment, students can post community questions intended for internal LMS use only. However, any media they upload in these questions is stored under /files/ and can be accessed by anyone with the URL.

Vulnerability Details

The LMS provides Notes and Community features under each assignment. In the Community tab:

  • Students can create questions and attach media.
  • Media is uploaded and stored under the /files/ path.
  • No authentication is required to access these file URLs.

Since community questions are often informal and user-generated, students may upload:

  • Screenshots containing usernames, system details, or personal data.
  • Logs or configuration files.
  • Other documents or images not intended for public exposure.

Steps to Reproduce

  1. Log in as an instructor and create course and assignment.

    • Go to courses: /lms/courses
    • Create a course: COURSE_NAME.
    • Go to assignments: /lms/assignments
    • Create an assignment (e.g. type Text).

  2. Attach the assignment to a course lesson.

    • Edit the course:
      /lms/courses/COURSE_NAME/edit
    • In the right sidebar, click "Add lesson" and open:
      /lms/courses/COURSE_NAME/learn/1-2/edit
    • Insert the assignment into the lesson content.

  3. Create a community question with media as a student.

    • Log in as a student and enroll into COURSE_NAME.
    • Open the relevant lesson/assignment.
    • On the left, click "Community" (near "Notes").
    • Click "New Question".
    • Provide a title and, in the details text area, upload a media file.

  4. Obtain the media URL.

    • After uploading, note the file URL used by the editor, e.g.:
      /files/FILENAME.ext

  5. Access the media without authentication.

    • Log out or open a new browser session without logging in.
    • Directly navigate to:
      http://localhost:8000/files/FILENAME.ext
    • The file is accessible without login.

Impact

  • Student privacy risk: Students may unintentionally share sensitive or personal information in screenshots or documents.
  • Information disclosure: Material intended only for course participants becomes accessible to the public.
  • Reconnaissance: Attackers can enumerate or fuzz the /files/ directory to discover other community-uploaded content.

Because students often treat "community" areas as semi-private spaces, the likelihood of unintentionally sharing sensitive information is relatively high.

Recommendation

  • Enforce authentication and authorization for all /files/ endpoints serving community content.
  • Restrict access to community question media to:
    • Authenticated users.
    • Enrolled students and instructors of the corresponding course.
  • Serve files via a controlled, permission-aware route rather than direct static URLs.
  • Inform users (students) about visibility scopes and ensure the backend enforces those scopes.

How we calculate affected digital assets

Methodology

Digital assets affected by a piece of software or hardware can include installations and real-world usage of that product across servers, websites, IoT devices, and other connected systems.

Data sources we use

  • For many web technologies, we use BuiltWith to estimate how many websites currently use a given product. Example: Vvveb usage statistics on BuiltWith .
  • For products that include telemetry or licensing beacons, we may rely on vendor-reported deployment figures to estimate the number of active installations.

Example: a vendor might share that their firewall product is deployed across a certain number of customer networks or appliances (similar to how a vendor such as NetSweeper reports its deployment footprint). We use those deployment counts as a proxy for affected digital assets.

How we estimate affected users

Estimation

The affected users value is an estimate of how many people are likely exposed to the vulnerability through the impacted assets.

Inputs we consider

  • Vendor data: when available, we use user or deployment counts provided by the vendor (for example, via telemetry, analytics, or licensing systems).
  • Asset-based estimate: when vendor data is not available, we use a conservative baseline of 100 users per asset and multiply it by the number of affected assets.

Example calculation

Suppose a vulnerability affects:

  • 20 IoT devices
  • 40 servers
  • 40 websites

Total affected assets: 20 + 40 + 40 = 100
Using our conservative baseline of 100 users per asset:

Estimated affected users: 100 assets × 100 users = 10,000 users

This approach intentionally aims to be conservative; it gives us a consistent way to compare impact across vulnerabilities and understand the approximate number of users we help protect.