Description

Frappe LMS version 2.35.0 allows unauthenticated users to access unpublished courses.
According to official documentation, courses should only be visible once published. However, by knowing the course name, anyone can directly access its page regardless of publication status.

Vulnerability Details

Frappe’s intended behavior is that courses remain inaccessible until explicitly published.
Instead, courses are only hidden from the visual course listing, but their pages remain accessible via direct URL.

• For unauthenticated users: course metadata can be viewed.
• For authenticated users with the LMS Student role: full course content becomes visible, and assignments can be submitted even when the course is unpublished.

Steps to Reproduce

1. Log in as instructor.

2. Create a new course.

   • Go to: http://127.0.0.1:8000/lms/courses
   • Create a course.

3. Ensure the course is unpublished.

   • In course settings, leave the “Published” checkbox unchecked.

4. Access the unpublished course.

   • Log out, or open an incognito/private browser.
   • Navigate directly to the course URL by using its name, for example:
     http://127.0.0.1:8000/lms/courses/MyGrandCourse

5. Observe the results.

   • As an unauthenticated user, you can still access the course page.
   • If logged in as an LMS Student, you can view unpublished course content and even submit assignments.

Recommendation

• Apply strict access controls to unpublished courses.
• Ensure that course content and metadata are completely inaccessible unless the “Published” flag is set.
• Validate access permissions at the controller level, not just in the UI display logic.