CVE-2025-10719
📋 TL;DR
CVE-2025-10719 is an Insecure Direct Object Reference vulnerability in Tronclass by WisdomGarden that allows authenticated users to access other users' files by modifying parameters. This affects all Tronclass deployments where users have regular privileges. The vulnerability enables unauthorized access to potentially sensitive user data.
💻 Affected Systems
- Tronclass Learning Management System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access and exfiltrate sensitive user files including personal documents, assignments, and confidential materials, leading to data breaches and privacy violations.
Likely Case
Malicious users accessing other users' course materials, assignments, or personal files, potentially enabling academic dishonesty or harassment.
If Mitigated
Limited access to non-sensitive files or detection of anomalous access patterns before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access and parameter manipulation. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with WisdomGarden for specific patched version
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-10397-49db1-2.html
Restart Required: No
Instructions:
1. Contact WisdomGarden for the security patch. 2. Apply the patch to your Tronclass installation. 3. Verify proper access controls are functioning.
🔧 Temporary Workarounds
Implement Access Control Validation
allAdd server-side validation to ensure users can only access their own files
🧯 If You Can't Patch
- Implement strict file access logging and monitoring for anomalous patterns
- Segment user data and implement additional authentication checks for file access
🔍 How to Verify
Check if Vulnerable:
Test if authenticated users can access other users' files by modifying file ID parameters in requestsCheck Version:
Check Tronclass version in admin panel or contact WisdomGarden supportVerify Fix Applied:
Verify that parameter manipulation no longer allows access to unauthorized user files📡 Detection & Monitoring
Log Indicators:
- Multiple failed file access attempts from single user
- User accessing files with IDs not belonging to them
- Unusual file download patterns
Network Indicators:
- HTTP requests with manipulated file ID parameters
- Unusual file transfer volumes from user accounts
SIEM Query:
source="tronclass" AND (event="file_access" AND user_id!=file_owner_id)