Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users’ data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0.
AnalysisAI
Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores via client-side manipulation using browser developer tools before submission. This vulnerability compromises the integrity of quiz results and academic reliability without enabling privilege escalation, unauthorized account access, or exposure of confidential information. The fix is available in version 2.46.0, and no public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
Frappe LMS implements quiz scoring logic on the client side, calculating scores in JavaScript before transmission to the server. This architecture violates the fundamental security principle of never trusting client-supplied data for security-critical calculations. CWE-602 (Client-Side Enforcement of Server-Side Security) describes this root cause: the application enforces data validation and integrity checks only on the client, where they can be circumvented by an authenticated user with access to browser developer tools (console, network inspection, DOM manipulation). The vulnerability affects all versions of the Frappe LMS package (cpe:2.3:a:frappe:lms:*:*:*:*:*:*:*:*) prior to 2.46.0, as the server-side code does not independently verify quiz scores before recording them.
RemediationAI
Upgrade Frappe LMS to version 2.46.0 or later to apply the vendor-released patch. The fix implements server-side validation and recalculation of quiz scores, ensuring that submitted scores are verified against the correct answers on the server before being recorded, eliminating the ability for students to manipulate client-side calculations. Organizations unable to upgrade immediately should implement compensating controls such as restricting quiz submissions to monitored testing environments, disabling browser developer tools on assessment terminals, or requiring instructor review of anomalous score submissions. For detailed patch information and guidance, refer to the official GitHub security advisory at https://github.com/frappe/lms/security/advisories/GHSA-9573-68xq-hwrx.
lms version <= LMS_011123 contains a Local File Disclosure vulnerability in File reading functionality in LMS module tha
Path traversal in Frappe Learning Management System (LMS) versions 2.50.0 and below allows authenticated users with cour
OS command injection in LMS (LAN Management System) before commit 9fcb4de allows authenticated adjacent attackers to exe
Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract
Reflected Cross-Site Scripting in the designthemes LMS WordPress theme (versions 9.7 and earlier) allows unauthenticated
Stored cross-site scripting (XSS) in Frappe Learning Management System versions 2.27.0 through 2.47.x allows unauthentic
An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulner
Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitra
Metadata injection in Frappe LMS prior to version 2.53.0 enables authenticated users to embed crafted content into user-
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20603