CVE-2025-62158

Low CVSS: 2.7

Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public. Anyone with the file URL could access these files without authentication. The issue has been fixed in version 2.38.0 by ensuring all student-uploaded assignment attachments are stored as private files by default.

Vendor

Frappe

Product

Learning

CWE

CWE-200

Yayın Tarihi

2025-10-10 20:15:39

Güncelleme

2025-10-20 17:18:16

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-200 Learning LOW Frappe 2025

Referanslar

https://github.com/frappe/lms/commit/78640561f558a6c7396f8be48874f79a54f03420 https://github.com/frappe/lms/security/advisories/GHSA-h6fh-7f24-f2j5

Benzer Kayıtlar

Medium

CVE-2026-34606

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27…

High

CVE-2026-32954

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpo…

Critical

CVE-2026-31877

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a ce…

Medium

CVE-2026-31878

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a…

Medium

CVE-2026-31879

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation…

Medium

CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted…