Search criteria
30 vulnerabilities found for LMS by Frappe
CVE-2025-67734 (GCVE-0-2025-67734)
Vulnerability from nvd – Published: 2025-12-12 19:48 – Updated: 2025-12-12 20:01
VLAI?
Title
Frappe Authenticated Users can Execute JavaScript through its Job Form
Summary
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67734",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T20:01:17.585451Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T20:01:48.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 2.42.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T19:48:58.721Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-c495-qg4v-5vr7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-c495-qg4v-5vr7"
},
{
"name": "https://github.com/frappe/lms/commit/ca849da81558066d7614b9b6234004ff59c90632",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/ca849da81558066d7614b9b6234004ff59c90632"
}
],
"source": {
"advisory": "GHSA-c495-qg4v-5vr7",
"discovery": "UNKNOWN"
},
"title": "Frappe Authenticated Users can Execute JavaScript through its Job Form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67734",
"datePublished": "2025-12-12T19:48:58.721Z",
"dateReserved": "2025-12-11T00:45:45.790Z",
"dateUpdated": "2025-12-12T20:01:48.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67730 (GCVE-0-2025-67730)
Vulnerability from nvd – Published: 2025-12-12 07:23 – Updated: 2025-12-18 15:38
VLAI?
Title
Frappe authenticated users can execute XSS through form description fields
Summary
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67730",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T15:38:03.443678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:38:16.475Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 2.42.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T07:23:54.147Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-jjc4-j3hw-33h2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-jjc4-j3hw-33h2"
},
{
"name": "https://github.com/frappe/lms/commit/0877e32e1bfe64831b875707241de1c449cda45c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/0877e32e1bfe64831b875707241de1c449cda45c"
}
],
"source": {
"advisory": "GHSA-jjc4-j3hw-33h2",
"discovery": "UNKNOWN"
},
"title": "Frappe authenticated users can execute XSS through form description fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67730",
"datePublished": "2025-12-12T07:23:54.147Z",
"dateReserved": "2025-12-10T20:04:28.290Z",
"dateUpdated": "2025-12-18T15:38:16.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66581 (GCVE-0-2025-66581)
Vulnerability from nvd – Published: 2025-12-05 18:26 – Updated: 2025-12-05 20:09
VLAI?
Title
Frappe LMS is Missing Server-Side Authorization in Business Logic
Summary
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API's. This vulnerability is fixed in 2.41.0.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T20:09:43.763815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T20:09:52.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 2.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API\u0027s. This vulnerability is fixed in 2.41.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T18:26:20.622Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-2ch7-c74m-432m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-2ch7-c74m-432m"
}
],
"source": {
"advisory": "GHSA-2ch7-c74m-432m",
"discovery": "UNKNOWN"
},
"title": "Frappe LMS is Missing Server-Side Authorization in Business Logic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66581",
"datePublished": "2025-12-05T18:26:20.622Z",
"dateReserved": "2025-12-04T18:53:42.399Z",
"dateUpdated": "2025-12-05T20:09:52.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64707 (GCVE-0-2025-64707)
Vulnerability from nvd – Published: 2025-11-12 22:27 – Updated: 2025-11-13 14:35
VLAI?
Title
Frappe LMS revoking access did not show immediate effect as roles were cached
Summary
Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T14:29:43.078066Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T14:35:20.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.2,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T22:27:54.937Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-w2gf-rchw-x6vm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-w2gf-rchw-x6vm"
}
],
"source": {
"advisory": "GHSA-w2gf-rchw-x6vm",
"discovery": "UNKNOWN"
},
"title": "Frappe LMS revoking access did not show immediate effect as roles were cached"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64707",
"datePublished": "2025-11-12T22:27:54.937Z",
"dateReserved": "2025-11-10T14:07:42.921Z",
"dateUpdated": "2025-11-13T14:35:20.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64705 (GCVE-0-2025-64705)
Vulnerability from nvd – Published: 2025-11-12 22:25 – Updated: 2025-11-13 14:35
VLAI?
Title
Frappe user was able to access the submission of other students
Summary
Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and redirecting if accessed via direct URL.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T14:29:49.531816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T14:35:25.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and redirecting if accessed via direct URL."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T22:25:49.724Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-qrvv-6g7r-g3v8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-qrvv-6g7r-g3v8"
}
],
"source": {
"advisory": "GHSA-qrvv-6g7r-g3v8",
"discovery": "UNKNOWN"
},
"title": "Frappe user was able to access the submission of other students"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64705",
"datePublished": "2025-11-12T22:25:49.724Z",
"dateReserved": "2025-11-10T14:07:42.921Z",
"dateUpdated": "2025-11-13T14:35:25.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62779 (GCVE-0-2025-62779)
Vulnerability from nvd – Published: 2025-10-27 21:19 – Updated: 2025-10-28 15:17
VLAI?
Title
Frappe Learning users were able to add HTML through input fields in the Job Form
Summary
Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were able to add HTML through input fields in the Job Form.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62779",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:03:20.309550Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:17:15.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.39.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were able to add HTML through input fields in the Job Form."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T21:19:03.978Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-j6h8-qg65-3fpx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-j6h8-qg65-3fpx"
},
{
"name": "https://github.com/frappe/lms/commit/75001b494d5d8198eab20b0cd85d5bd719448ea3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/75001b494d5d8198eab20b0cd85d5bd719448ea3"
}
],
"source": {
"advisory": "GHSA-j6h8-qg65-3fpx",
"discovery": "UNKNOWN"
},
"title": "Frappe Learning users were able to add HTML through input fields in the Job Form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62779",
"datePublished": "2025-10-27T21:19:03.978Z",
"dateReserved": "2025-10-22T18:55:48.006Z",
"dateUpdated": "2025-10-28T15:17:15.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62778 (GCVE-0-2025-62778)
Vulnerability from nvd – Published: 2025-10-27 21:16 – Updated: 2025-10-28 13:38
VLAI?
Title
Frappe Learning allowed students to access the Quiz Form via direct URL
Summary
Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL.
Severity ?
CWE
- CWE-425 - Direct Request ('Forced Browsing')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T13:16:46.371405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T13:38:07.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.39.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425: Direct Request (\u0027Forced Browsing\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T21:16:06.220Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-8xvv-6v89-xxgx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-8xvv-6v89-xxgx"
},
{
"name": "https://github.com/frappe/lms/commit/8749e21744547ae32f729bde05c854113e126750",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/8749e21744547ae32f729bde05c854113e126750"
}
],
"source": {
"advisory": "GHSA-8xvv-6v89-xxgx",
"discovery": "UNKNOWN"
},
"title": "Frappe Learning allowed students to access the Quiz Form via direct URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62778",
"datePublished": "2025-10-27T21:16:06.220Z",
"dateReserved": "2025-10-22T18:55:48.006Z",
"dateUpdated": "2025-10-28T13:38:07.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62158 (GCVE-0-2025-62158)
Vulnerability from nvd – Published: 2025-10-10 20:05 – Updated: 2025-10-10 20:44
VLAI?
Title
Frappe had attachments made by students to their assignments of type Text set to public
Summary
Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public. Anyone with the file URL could access these files without authentication. The issue has been fixed in version 2.38.0 by ensuring all student-uploaded assignment attachments are stored as private files by default.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T20:44:01.340992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:44:13.136Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 2.38.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public. Anyone with the file URL could access these files without authentication. The issue has been fixed in version 2.38.0 by ensuring all student-uploaded assignment attachments are stored as private files by default."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:05:38.107Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-h6fh-7f24-f2j5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-h6fh-7f24-f2j5"
},
{
"name": "https://github.com/frappe/lms/commit/78640561f558a6c7396f8be48874f79a54f03420",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/78640561f558a6c7396f8be48874f79a54f03420"
}
],
"source": {
"advisory": "GHSA-h6fh-7f24-f2j5",
"discovery": "UNKNOWN"
},
"title": "Frappe had attachments made by students to their assignments of type Text set to public"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62158",
"datePublished": "2025-10-10T20:05:38.107Z",
"dateReserved": "2025-10-07T16:12:03.424Z",
"dateUpdated": "2025-10-10T20:44:13.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11283 (GCVE-0-2025-11283)
Vulnerability from nvd – Published: 2025-10-05 05:02 – Updated: 2025-10-06 20:07
VLAI?
Title
Frappe LMS Course cross site scripting
Summary
A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Credits
0xHamy (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11283",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T20:07:21.780373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T20:07:29.456Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Course Handler"
],
"product": "LMS",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "2.35.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0xHamy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Frappe LMS 2.35.0 entdeckt. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion der Komponente Course Handler. Mittels dem Manipulieren des Arguments Description mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden. Es wird geraten, die betroffene Komponente zu aktualisieren."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-05T05:02:06.329Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-327017 | Frappe LMS Course cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.327017"
},
{
"name": "VDB-327017 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.327017"
},
{
"name": "Submit #659697 | Frappe Frappe LMS 2.35.0 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.659697"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/0xHamy/1f99795df9301a95ee0c6d18028cd3da"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/1f99795df9301a95ee0c6d18028cd3da#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-10-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-10-04T11:28:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "Frappe LMS Course cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11283",
"datePublished": "2025-10-05T05:02:06.329Z",
"dateReserved": "2025-10-04T09:22:39.244Z",
"dateUpdated": "2025-10-06T20:07:29.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11282 (GCVE-0-2025-11282)
Vulnerability from nvd – Published: 2025-10-05 04:32 – Updated: 2025-10-07 18:53
VLAI?
Title
Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting
Summary
A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Credits
0xHamy (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11282",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T18:53:33.193133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T18:53:36.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544#steps-to-reproduce"
},
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/?submit.659696"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Incomplete Fix CVE-2025-55006"
],
"product": "LMS",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "2.34.x"
},
{
"status": "affected",
"version": "2.35.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0xHamy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Frappe LMS 2.34.x/2.35.0 gefunden. Es geht um eine nicht n\u00e4her bekannte Funktion der Komponente Incomplete Fix CVE-2025-55006. Durch Manipulation mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden. Es wird empfohlen, die betroffene Komponente zu aktualisieren."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-05T04:32:06.034Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-327016 | Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.327016"
},
{
"name": "VDB-327016 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.327016"
},
{
"name": "Submit #659696 | Frappe Frappe LMS 2.35.0 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.659696"
},
{
"tags": [
"related"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-10-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-10-04T11:28:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11282",
"datePublished": "2025-10-05T04:32:06.034Z",
"dateReserved": "2025-10-04T09:22:36.514Z",
"dateUpdated": "2025-10-07T18:53:36.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11281 (GCVE-0-2025-11281)
Vulnerability from nvd – Published: 2025-10-05 04:02 – Updated: 2025-10-07 19:12
VLAI?
Title
Frappe LMS Unpublished Course courses access control
Summary
A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. You should upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Credits
0xHamy (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11281",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T19:11:59.135800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T19:12:19.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/?submit.659695"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/5ebd820ad30f33827011e9a614fb2f89"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/5ebd820ad30f33827011e9a614fb2f89#steps-to-reproduce"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Unpublished Course Handler"
],
"product": "LMS",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "2.35.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0xHamy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. You should upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them."
},
{
"lang": "de",
"value": "In Frappe LMS 2.35.0 ist eine Schwachstelle entdeckt worden. Betroffen hiervon ist ein unbekannter Ablauf der Datei /courses/ der Komponente Unpublished Course Handler. Durch die Manipulation mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann remote ausgef\u00fchrt werden. Das Durchf\u00fchren eines Angriffs ist mit einer relativ hohen Komplexit\u00e4t verbunden. Das Ausnutzen gilt als schwierig. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.6,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-05T04:02:05.630Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-327015 | Frappe LMS Unpublished Course courses access control",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.327015"
},
{
"name": "VDB-327015 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.327015"
},
{
"name": "Submit #659695 | Frappe Frappe LMS 2.35.0 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.659695"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/0xHamy/5ebd820ad30f33827011e9a614fb2f89"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/5ebd820ad30f33827011e9a614fb2f89#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-10-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-10-04T11:28:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "Frappe LMS Unpublished Course courses access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11281",
"datePublished": "2025-10-05T04:02:05.630Z",
"dateReserved": "2025-10-04T09:22:33.609Z",
"dateUpdated": "2025-10-07T19:12:19.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11280 (GCVE-0-2025-11280)
Vulnerability from nvd – Published: 2025-10-05 03:32 – Updated: 2025-10-07 19:36
VLAI?
Title
Frappe LMS Assignment Picture files direct request
Summary
A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
Severity ?
CWE
- CWE-425 - Direct Request
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Credits
0xHamy (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11280",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T19:36:51.684179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T19:36:55.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/?submit.659694"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1#steps-to-reproduce"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Assignment Picture Handler"
],
"product": "LMS",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "2.35.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0xHamy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack\u0027s complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them."
},
{
"lang": "de",
"value": "In Frappe LMS 2.35.0 wurde eine Schwachstelle gefunden. Betroffen davon ist ein unbekannter Prozess der Datei /files/ der Komponente Assignment Picture Handler. Mit der Manipulation mit unbekannten Daten kann eine direct request-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Ein Angriff erfordert eine vergleichsweise hohe Komplexit\u00e4t. Sie ist schwierig auszunutzen. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden. Die Aktualisierung der betroffenen Komponente wird empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "Direct Request",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-05T03:32:06.307Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-327014 | Frappe LMS Assignment Picture files direct request",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.327014"
},
{
"name": "VDB-327014 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.327014"
},
{
"name": "Submit #659694 | Frappe Frappe LMS 2.35.0 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.659694"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-10-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-10-04T11:28:14.000Z",
"value": "VulDB entry last update"
}
],
"title": "Frappe LMS Assignment Picture files direct request"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11280",
"datePublished": "2025-10-05T03:32:06.307Z",
"dateReserved": "2025-10-04T09:22:22.603Z",
"dateUpdated": "2025-10-07T19:36:55.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59415 (GCVE-0-2025-59415)
Vulnerability from nvd – Published: 2025-09-17 21:07 – Updated: 2025-09-18 13:58
VLAI?
Title
Frappe Learning vulnerable to Malicious Content upload via Profile bio field
Summary
Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-18T13:58:38.663050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:58:43.346Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.34.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T21:07:58.471Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx"
},
{
"name": "https://github.com/frappe/lms/commit/ed162e254690772365d4d1365f176b59bc4db72d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/ed162e254690772365d4d1365f176b59bc4db72d"
}
],
"source": {
"advisory": "GHSA-h7gh-3vq5-96jx",
"discovery": "UNKNOWN"
},
"title": "Frappe Learning vulnerable to Malicious Content upload via Profile bio field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59415",
"datePublished": "2025-09-17T21:07:58.471Z",
"dateReserved": "2025-09-15T19:13:16.903Z",
"dateUpdated": "2025-09-18T13:58:43.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55006 (GCVE-0-2025-55006)
Vulnerability from nvd – Published: 2025-08-09 02:01 – Updated: 2025-08-11 14:49
VLAI?
Title
Frappe Learning Holds Potential for Malicious SVG Upload in Image Upload Feature
Summary
Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially malicious content. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. A fix for this issue is planned for version 2.34.0.
Severity ?
4.3 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55006",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T14:49:19.058477Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T14:49:39.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.33.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially malicious content. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. A fix for this issue is planned for version 2.34.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-09T02:01:57.136Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr"
}
],
"source": {
"advisory": "GHSA-mvxw-r9x4-3vrr",
"discovery": "UNKNOWN"
},
"title": "Frappe Learning Holds Potential for Malicious SVG Upload in Image Upload Feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55006",
"datePublished": "2025-08-09T02:01:57.136Z",
"dateReserved": "2025-08-04T17:34:24.421Z",
"dateUpdated": "2025-08-11T14:49:39.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42807 (GCVE-0-2023-42807)
Vulnerability from nvd – Published: 2023-09-21 16:37 – Updated: 2024-09-24 14:50
VLAI?
Title
Frappe LMS SQL Injection Issue on People Page
Summary
Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app.
Severity ?
6.3 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:24.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-wvq3-3wvp-6x63",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-wvq3-3wvp-6x63"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T14:29:02.498966Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T14:50:49.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won\u0027t face this issue if they are using the latest main branch of the app."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-21T16:37:49.041Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-wvq3-3wvp-6x63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-wvq3-3wvp-6x63"
}
],
"source": {
"advisory": "GHSA-wvq3-3wvp-6x63",
"discovery": "UNKNOWN"
},
"title": "Frappe LMS SQL Injection Issue on People Page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42807",
"datePublished": "2023-09-21T16:37:49.041Z",
"dateReserved": "2023-09-14T16:13:33.307Z",
"dateUpdated": "2024-09-24T14:50:49.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-67734 (GCVE-0-2025-67734)
Vulnerability from cvelistv5 – Published: 2025-12-12 19:48 – Updated: 2025-12-12 20:01
VLAI?
Title
Frappe Authenticated Users can Execute JavaScript through its Job Form
Summary
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67734",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T20:01:17.585451Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T20:01:48.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 2.42.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T19:48:58.721Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-c495-qg4v-5vr7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-c495-qg4v-5vr7"
},
{
"name": "https://github.com/frappe/lms/commit/ca849da81558066d7614b9b6234004ff59c90632",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/ca849da81558066d7614b9b6234004ff59c90632"
}
],
"source": {
"advisory": "GHSA-c495-qg4v-5vr7",
"discovery": "UNKNOWN"
},
"title": "Frappe Authenticated Users can Execute JavaScript through its Job Form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67734",
"datePublished": "2025-12-12T19:48:58.721Z",
"dateReserved": "2025-12-11T00:45:45.790Z",
"dateUpdated": "2025-12-12T20:01:48.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67730 (GCVE-0-2025-67730)
Vulnerability from cvelistv5 – Published: 2025-12-12 07:23 – Updated: 2025-12-18 15:38
VLAI?
Title
Frappe authenticated users can execute XSS through form description fields
Summary
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67730",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T15:38:03.443678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:38:16.475Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 2.42.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T07:23:54.147Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-jjc4-j3hw-33h2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-jjc4-j3hw-33h2"
},
{
"name": "https://github.com/frappe/lms/commit/0877e32e1bfe64831b875707241de1c449cda45c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/0877e32e1bfe64831b875707241de1c449cda45c"
}
],
"source": {
"advisory": "GHSA-jjc4-j3hw-33h2",
"discovery": "UNKNOWN"
},
"title": "Frappe authenticated users can execute XSS through form description fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67730",
"datePublished": "2025-12-12T07:23:54.147Z",
"dateReserved": "2025-12-10T20:04:28.290Z",
"dateUpdated": "2025-12-18T15:38:16.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66581 (GCVE-0-2025-66581)
Vulnerability from cvelistv5 – Published: 2025-12-05 18:26 – Updated: 2025-12-05 20:09
VLAI?
Title
Frappe LMS is Missing Server-Side Authorization in Business Logic
Summary
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API's. This vulnerability is fixed in 2.41.0.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T20:09:43.763815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T20:09:52.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 2.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API\u0027s. This vulnerability is fixed in 2.41.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T18:26:20.622Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-2ch7-c74m-432m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-2ch7-c74m-432m"
}
],
"source": {
"advisory": "GHSA-2ch7-c74m-432m",
"discovery": "UNKNOWN"
},
"title": "Frappe LMS is Missing Server-Side Authorization in Business Logic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66581",
"datePublished": "2025-12-05T18:26:20.622Z",
"dateReserved": "2025-12-04T18:53:42.399Z",
"dateUpdated": "2025-12-05T20:09:52.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64707 (GCVE-0-2025-64707)
Vulnerability from cvelistv5 – Published: 2025-11-12 22:27 – Updated: 2025-11-13 14:35
VLAI?
Title
Frappe LMS revoking access did not show immediate effect as roles were cached
Summary
Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T14:29:43.078066Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T14:35:20.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.2,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T22:27:54.937Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-w2gf-rchw-x6vm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-w2gf-rchw-x6vm"
}
],
"source": {
"advisory": "GHSA-w2gf-rchw-x6vm",
"discovery": "UNKNOWN"
},
"title": "Frappe LMS revoking access did not show immediate effect as roles were cached"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64707",
"datePublished": "2025-11-12T22:27:54.937Z",
"dateReserved": "2025-11-10T14:07:42.921Z",
"dateUpdated": "2025-11-13T14:35:20.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64705 (GCVE-0-2025-64705)
Vulnerability from cvelistv5 – Published: 2025-11-12 22:25 – Updated: 2025-11-13 14:35
VLAI?
Title
Frappe user was able to access the submission of other students
Summary
Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and redirecting if accessed via direct URL.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T14:29:49.531816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T14:35:25.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and redirecting if accessed via direct URL."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T22:25:49.724Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-qrvv-6g7r-g3v8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-qrvv-6g7r-g3v8"
}
],
"source": {
"advisory": "GHSA-qrvv-6g7r-g3v8",
"discovery": "UNKNOWN"
},
"title": "Frappe user was able to access the submission of other students"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64705",
"datePublished": "2025-11-12T22:25:49.724Z",
"dateReserved": "2025-11-10T14:07:42.921Z",
"dateUpdated": "2025-11-13T14:35:25.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62779 (GCVE-0-2025-62779)
Vulnerability from cvelistv5 – Published: 2025-10-27 21:19 – Updated: 2025-10-28 15:17
VLAI?
Title
Frappe Learning users were able to add HTML through input fields in the Job Form
Summary
Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were able to add HTML through input fields in the Job Form.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62779",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:03:20.309550Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:17:15.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.39.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were able to add HTML through input fields in the Job Form."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T21:19:03.978Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-j6h8-qg65-3fpx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-j6h8-qg65-3fpx"
},
{
"name": "https://github.com/frappe/lms/commit/75001b494d5d8198eab20b0cd85d5bd719448ea3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/75001b494d5d8198eab20b0cd85d5bd719448ea3"
}
],
"source": {
"advisory": "GHSA-j6h8-qg65-3fpx",
"discovery": "UNKNOWN"
},
"title": "Frappe Learning users were able to add HTML through input fields in the Job Form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62779",
"datePublished": "2025-10-27T21:19:03.978Z",
"dateReserved": "2025-10-22T18:55:48.006Z",
"dateUpdated": "2025-10-28T15:17:15.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62778 (GCVE-0-2025-62778)
Vulnerability from cvelistv5 – Published: 2025-10-27 21:16 – Updated: 2025-10-28 13:38
VLAI?
Title
Frappe Learning allowed students to access the Quiz Form via direct URL
Summary
Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL.
Severity ?
CWE
- CWE-425 - Direct Request ('Forced Browsing')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T13:16:46.371405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T13:38:07.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.39.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425: Direct Request (\u0027Forced Browsing\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T21:16:06.220Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-8xvv-6v89-xxgx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-8xvv-6v89-xxgx"
},
{
"name": "https://github.com/frappe/lms/commit/8749e21744547ae32f729bde05c854113e126750",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/8749e21744547ae32f729bde05c854113e126750"
}
],
"source": {
"advisory": "GHSA-8xvv-6v89-xxgx",
"discovery": "UNKNOWN"
},
"title": "Frappe Learning allowed students to access the Quiz Form via direct URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62778",
"datePublished": "2025-10-27T21:16:06.220Z",
"dateReserved": "2025-10-22T18:55:48.006Z",
"dateUpdated": "2025-10-28T13:38:07.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62158 (GCVE-0-2025-62158)
Vulnerability from cvelistv5 – Published: 2025-10-10 20:05 – Updated: 2025-10-10 20:44
VLAI?
Title
Frappe had attachments made by students to their assignments of type Text set to public
Summary
Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public. Anyone with the file URL could access these files without authentication. The issue has been fixed in version 2.38.0 by ensuring all student-uploaded assignment attachments are stored as private files by default.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T20:44:01.340992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:44:13.136Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c 2.38.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public. Anyone with the file URL could access these files without authentication. The issue has been fixed in version 2.38.0 by ensuring all student-uploaded assignment attachments are stored as private files by default."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:05:38.107Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-h6fh-7f24-f2j5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-h6fh-7f24-f2j5"
},
{
"name": "https://github.com/frappe/lms/commit/78640561f558a6c7396f8be48874f79a54f03420",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/78640561f558a6c7396f8be48874f79a54f03420"
}
],
"source": {
"advisory": "GHSA-h6fh-7f24-f2j5",
"discovery": "UNKNOWN"
},
"title": "Frappe had attachments made by students to their assignments of type Text set to public"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62158",
"datePublished": "2025-10-10T20:05:38.107Z",
"dateReserved": "2025-10-07T16:12:03.424Z",
"dateUpdated": "2025-10-10T20:44:13.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11283 (GCVE-0-2025-11283)
Vulnerability from cvelistv5 – Published: 2025-10-05 05:02 – Updated: 2025-10-06 20:07
VLAI?
Title
Frappe LMS Course cross site scripting
Summary
A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Credits
0xHamy (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11283",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T20:07:21.780373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T20:07:29.456Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Course Handler"
],
"product": "LMS",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "2.35.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0xHamy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Frappe LMS 2.35.0 entdeckt. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion der Komponente Course Handler. Mittels dem Manipulieren des Arguments Description mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden. Es wird geraten, die betroffene Komponente zu aktualisieren."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-05T05:02:06.329Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-327017 | Frappe LMS Course cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.327017"
},
{
"name": "VDB-327017 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.327017"
},
{
"name": "Submit #659697 | Frappe Frappe LMS 2.35.0 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.659697"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/0xHamy/1f99795df9301a95ee0c6d18028cd3da"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/1f99795df9301a95ee0c6d18028cd3da#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-10-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-10-04T11:28:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "Frappe LMS Course cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11283",
"datePublished": "2025-10-05T05:02:06.329Z",
"dateReserved": "2025-10-04T09:22:39.244Z",
"dateUpdated": "2025-10-06T20:07:29.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11282 (GCVE-0-2025-11282)
Vulnerability from cvelistv5 – Published: 2025-10-05 04:32 – Updated: 2025-10-07 18:53
VLAI?
Title
Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting
Summary
A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Credits
0xHamy (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11282",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T18:53:33.193133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T18:53:36.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544#steps-to-reproduce"
},
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/?submit.659696"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Incomplete Fix CVE-2025-55006"
],
"product": "LMS",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "2.34.x"
},
{
"status": "affected",
"version": "2.35.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0xHamy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Frappe LMS 2.34.x/2.35.0 gefunden. Es geht um eine nicht n\u00e4her bekannte Funktion der Komponente Incomplete Fix CVE-2025-55006. Durch Manipulation mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden. Es wird empfohlen, die betroffene Komponente zu aktualisieren."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-05T04:32:06.034Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-327016 | Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.327016"
},
{
"name": "VDB-327016 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.327016"
},
{
"name": "Submit #659696 | Frappe Frappe LMS 2.35.0 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.659696"
},
{
"tags": [
"related"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-10-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-10-04T11:28:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11282",
"datePublished": "2025-10-05T04:32:06.034Z",
"dateReserved": "2025-10-04T09:22:36.514Z",
"dateUpdated": "2025-10-07T18:53:36.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11281 (GCVE-0-2025-11281)
Vulnerability from cvelistv5 – Published: 2025-10-05 04:02 – Updated: 2025-10-07 19:12
VLAI?
Title
Frappe LMS Unpublished Course courses access control
Summary
A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. You should upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Credits
0xHamy (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11281",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T19:11:59.135800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T19:12:19.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/?submit.659695"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/5ebd820ad30f33827011e9a614fb2f89"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/5ebd820ad30f33827011e9a614fb2f89#steps-to-reproduce"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Unpublished Course Handler"
],
"product": "LMS",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "2.35.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0xHamy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. You should upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them."
},
{
"lang": "de",
"value": "In Frappe LMS 2.35.0 ist eine Schwachstelle entdeckt worden. Betroffen hiervon ist ein unbekannter Ablauf der Datei /courses/ der Komponente Unpublished Course Handler. Durch die Manipulation mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann remote ausgef\u00fchrt werden. Das Durchf\u00fchren eines Angriffs ist mit einer relativ hohen Komplexit\u00e4t verbunden. Das Ausnutzen gilt als schwierig. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.6,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-05T04:02:05.630Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-327015 | Frappe LMS Unpublished Course courses access control",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.327015"
},
{
"name": "VDB-327015 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.327015"
},
{
"name": "Submit #659695 | Frappe Frappe LMS 2.35.0 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.659695"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/0xHamy/5ebd820ad30f33827011e9a614fb2f89"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/5ebd820ad30f33827011e9a614fb2f89#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-10-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-10-04T11:28:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "Frappe LMS Unpublished Course courses access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11281",
"datePublished": "2025-10-05T04:02:05.630Z",
"dateReserved": "2025-10-04T09:22:33.609Z",
"dateUpdated": "2025-10-07T19:12:19.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11280 (GCVE-0-2025-11280)
Vulnerability from cvelistv5 – Published: 2025-10-05 03:32 – Updated: 2025-10-07 19:36
VLAI?
Title
Frappe LMS Assignment Picture files direct request
Summary
A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
Severity ?
CWE
- CWE-425 - Direct Request
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Credits
0xHamy (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11280",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T19:36:51.684179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T19:36:55.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/?submit.659694"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1#steps-to-reproduce"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Assignment Picture Handler"
],
"product": "LMS",
"vendor": "Frappe",
"versions": [
{
"status": "affected",
"version": "2.35.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0xHamy (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack\u0027s complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them."
},
{
"lang": "de",
"value": "In Frappe LMS 2.35.0 wurde eine Schwachstelle gefunden. Betroffen davon ist ein unbekannter Prozess der Datei /files/ der Komponente Assignment Picture Handler. Mit der Manipulation mit unbekannten Daten kann eine direct request-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Ein Angriff erfordert eine vergleichsweise hohe Komplexit\u00e4t. Sie ist schwierig auszunutzen. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden. Die Aktualisierung der betroffenen Komponente wird empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "Direct Request",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-05T03:32:06.307Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-327014 | Frappe LMS Assignment Picture files direct request",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.327014"
},
{
"name": "VDB-327014 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.327014"
},
{
"name": "Submit #659694 | Frappe Frappe LMS 2.35.0 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.659694"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-10-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-10-04T11:28:14.000Z",
"value": "VulDB entry last update"
}
],
"title": "Frappe LMS Assignment Picture files direct request"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11280",
"datePublished": "2025-10-05T03:32:06.307Z",
"dateReserved": "2025-10-04T09:22:22.603Z",
"dateUpdated": "2025-10-07T19:36:55.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59415 (GCVE-0-2025-59415)
Vulnerability from cvelistv5 – Published: 2025-09-17 21:07 – Updated: 2025-09-18 13:58
VLAI?
Title
Frappe Learning vulnerable to Malicious Content upload via Profile bio field
Summary
Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-18T13:58:38.663050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T13:58:43.346Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.34.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T21:07:58.471Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx"
},
{
"name": "https://github.com/frappe/lms/commit/ed162e254690772365d4d1365f176b59bc4db72d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/frappe/lms/commit/ed162e254690772365d4d1365f176b59bc4db72d"
}
],
"source": {
"advisory": "GHSA-h7gh-3vq5-96jx",
"discovery": "UNKNOWN"
},
"title": "Frappe Learning vulnerable to Malicious Content upload via Profile bio field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59415",
"datePublished": "2025-09-17T21:07:58.471Z",
"dateReserved": "2025-09-15T19:13:16.903Z",
"dateUpdated": "2025-09-18T13:58:43.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55006 (GCVE-0-2025-55006)
Vulnerability from cvelistv5 – Published: 2025-08-09 02:01 – Updated: 2025-08-11 14:49
VLAI?
Title
Frappe Learning Holds Potential for Malicious SVG Upload in Image Upload Feature
Summary
Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially malicious content. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. A fix for this issue is planned for version 2.34.0.
Severity ?
4.3 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55006",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T14:49:19.058477Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T14:49:39.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.33.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially malicious content. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. A fix for this issue is planned for version 2.34.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-09T02:01:57.136Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr"
}
],
"source": {
"advisory": "GHSA-mvxw-r9x4-3vrr",
"discovery": "UNKNOWN"
},
"title": "Frappe Learning Holds Potential for Malicious SVG Upload in Image Upload Feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55006",
"datePublished": "2025-08-09T02:01:57.136Z",
"dateReserved": "2025-08-04T17:34:24.421Z",
"dateUpdated": "2025-08-11T14:49:39.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42807 (GCVE-0-2023-42807)
Vulnerability from cvelistv5 – Published: 2023-09-21 16:37 – Updated: 2024-09-24 14:50
VLAI?
Title
Frappe LMS SQL Injection Issue on People Page
Summary
Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app.
Severity ?
6.3 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:24.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-wvq3-3wvp-6x63",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-wvq3-3wvp-6x63"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T14:29:02.498966Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T14:50:49.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lms",
"vendor": "frappe",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won\u0027t face this issue if they are using the latest main branch of the app."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-21T16:37:49.041Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/frappe/lms/security/advisories/GHSA-wvq3-3wvp-6x63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/frappe/lms/security/advisories/GHSA-wvq3-3wvp-6x63"
}
],
"source": {
"advisory": "GHSA-wvq3-3wvp-6x63",
"discovery": "UNKNOWN"
},
"title": "Frappe LMS SQL Injection Issue on People Page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42807",
"datePublished": "2023-09-21T16:37:49.041Z",
"dateReserved": "2023-09-14T16:13:33.307Z",
"dateUpdated": "2024-09-24T14:50:49.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}