Frappe LMS CVE-2025-11280
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
AnalysisAI
Information disclosure vulnerability in Frappe LMS 2.35.0 allows remote unauthenticated attackers to access sensitive assignment picture data through direct requests to the /files/ endpoint with high attack complexity. The vulnerability carries a CVSS score of 2.9 with low confidentiality impact, and publicly available exploit code exists, though real-world exploitation risk remains minimal given the high complexity requirement and low EPSS score of 0.04%.
Technical ContextAI
Frappe LMS is a learning management system built on the Frappe framework. The vulnerability resides in the Assignment Picture Handler component, specifically the /files/ endpoint, which processes file requests. CWE-425 (Direct Request) indicates improper access control allowing direct manipulation of resources without proper authorization checks. The flaw permits unauthenticated network-based requests to retrieve assignment pictures, suggesting the endpoint lacks role-based access control (RBAC) or authentication validation before serving files. The CVSS vector confirms network accessibility (AV:N), no privilege requirements (PR:N), and no user interaction (UI:N), but high attack complexity (AC:H) suggests the exploit requires specific conditions such as knowledge of file paths, special request formatting, or timing constraints.
RemediationAI
Upgrade Frappe LMS beyond version 2.35.0 to a patched version released after vendor confirmation of fixes; however, exact patched version numbers are not published in available references. Monitor Frappe LMS GitHub repository release notes and security advisories for patched version availability, as fixes have been confirmed by the vendor but not yet documented publicly. As an interim compensating control, restrict network access to the /files/ endpoint using web application firewall (WAF) rules or reverse proxy rules to require authentication tokens or session validation before serving assignment picture files; this may impact legitimate file access workflows and should be tested in staging environments. Alternatively, implement network segmentation to limit /files/ endpoint exposure to internal networks or specific trusted IP ranges if the LMS operates in a private environment. These controls mitigate unauthorized information disclosure but do not resolve the root authorization flaw and should be considered temporary until a patched version is deployed.
Share
External POC / Exploit Code
Leaving vuln.today