Skip to main content

LearnHouse CVE-2025-12270

LOW
Improper Control of Resource Identifiers ('Resource Injection') (CWE-99)
2025-10-27 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:32 vuln.today

DescriptionCVE.org

A vulnerability was determined in LearnHouse up to 98dfad76aad70711a8113f6c1fdabfccf10509ca. The impacted element is an unknown function of the file /api/v1/assignments/{assignment_id}/tasks/{task_id}/sub_file of the component Student Assignment Submission Handler. This manipulation causes improper control of resource identifiers. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

LearnHouse allows authenticated remote attackers to access unauthorized student assignment files through improper control of resource identifiers in the Student Assignment Submission Handler API endpoint, enabling information disclosure of sensitive academic materials. The vulnerability affects all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca, with publicly available exploit code disclosed. EPSS exploitation probability is 0.04% (13th percentile), indicating low real-world exploitation likelihood despite public POC availability.

Technical ContextAI

The vulnerability exists in the RESTful API endpoint /api/v1/assignments/{assignment_id}/tasks/{task_id}/sub_file, which handles student assignment file submissions. The root cause is CWE-99 (Improper Control of Resource Identifiers), a class of authorization bypass flaws where the application fails to properly validate or restrict access to resources based on user identity or role. In this case, the API likely accepts user-controlled assignment_id and task_id parameters without verifying the authenticated user has permission to access those specific resources, allowing students or other users to enumerate and retrieve files belonging to other students' assignments through parameter manipulation.

RemediationAI

Apply the upstream fix by deploying the latest commit from the LearnHouse repository after commit 98dfad76aad70711a8113f6c1fdabfccf10509ca. Since the vendor uses continuous delivery with rolling releases rather than traditional version releases, administrators should pull the latest code from the main branch and redeploy. The patch must implement proper access control validation in the /api/v1/assignments/{assignment_id}/tasks/{task_id}/sub_file endpoint to verify the authenticated user owns or has explicit permission to access the requested assignment and task resources before serving files. Until patched, implement compensating controls: (1) enable API request logging and monitoring for repeated or invalid assignment_id/task_id parameter combinations to detect enumeration attempts, (2) restrict the endpoint to HTTPS-only with TLS 1.2+ to prevent credential interception, (3) implement rate limiting (e.g., 10 requests per minute per user) on the /api/v1/assignments endpoint to slow enumeration attacks, and (4) conduct an access control audit of all API endpoints in the Student Assignment Submission Handler component to identify similar CWE-99 instances. Trade-off: rate limiting may impact legitimate bulk download workflows; configure whitelist exceptions for known administrative tasks. For reference, see VulDB CID 329942 (https://vuldb.com/?ctiid.329942).

Share

CVE-2025-12270 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy