DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

GitHub

Frappe LMS - v2.35.0 - Improper Access Controls (unauthenticated)

By 0xhamy 05:35 AM - October 14th 2025
Type software
Product Environment web
Product Name Frappe LMS
Product Vendor Frappe
Product Version 2.35.0
Product Link https://github.com/frappe/lms
Vulnerability Name Improper Access Controls
Severity High
CVSS String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score 7.5
CVE ID CVE-2025-11280
Vendor Acknowledgement Yes
Affected digital Assets 10
Affected Users 50000
Date of Reporting Sep 21, 2025
PoC Exploit -
Credit 0xhamy,KhanMarshai

Description

Frappe LMS version 2.35.0 is vulnerable to improper access controls.
Files uploaded by students or instructors are accessible to unauthenticated users, allowing private assignment submissions to be retrieved without login.

Vulnerability Details

In Frappe LMS, uploaded files are stored under the /files/ directory.
Assignments and course submissions, which should only be visible to instructors and students, are instead publicly accessible.
As a result, anyone who knows or guesses a file’s path can download it without authentication.

Steps to Reproduce

  1. Log in as an administrator.
    Navigate to:
    http://127.0.0.1:8000/app/user?enabled=1

  2. Create a student account.

    • Add a new user.
    • Assign the role: LMS Student.

  3. Create an assignment.

    • Go to: http://127.0.0.1:8000/lms/assignments
    • Create a new assignment with type set to Text.

  4. Create a course and attach the assignment.

    • Navigate to: http://127.0.0.1:8000/lms/courses
    • Create a course.
    • Add a chapter to the course.
    • Add the assignment you created as chapter content.
    • Publish the course (optional, the vulnerability works even if unpublished).

  5. Log in as the student.

    • Open the course assignment page:
      http://127.0.0.1:8000/lms/courses/MyGrandCourse/learn/2-1

  6. Upload a file (e.g., an image).

    • After uploading, right-click the file and open it in a new tab.
    • The file will have a direct URL, for example:
      http://127.0.0.1:8000/files/mypicture.jpeg

  7. Access the file without authentication.

    • Log out or open a private/incognito browser window.
    • Paste the file URL (from step 6).
    • The file is still accessible, even without logging in.

Recommendation

  • Enforce authentication and authorization checks on all file requests under /files/.
  • Ensure that only authorized users (e.g., the file owner and course instructors) can access assignment submissions.
  • Store uploaded files in a location that is not directly web-accessible, and serve them only after verifying permissions.