Login Sign Up

CVE-2025-11281

5.0 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in Frappe LMS 2.35.0 allows attackers to bypass access controls on unpublished courses through the /courses/ endpoint. Attackers can potentially access restricted course content without proper authorization. The vulnerability affects all systems running the vulnerable version of Frappe LMS.

💻 Affected Systems

Products:
  • Frappe LMS
Versions: 2.35.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Frappe LMS version 2.35.0; other versions may be unaffected.

📦 What is this software?

Learning by Frappe

View all CVEs affecting Learning →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to unpublished course materials, potentially including sensitive educational content, intellectual property, or private student data.

🟠

Likely Case

Unauthorized viewing of unpublished course content that should only be accessible to instructors or administrators.

🟢

If Mitigated

No impact if proper access controls are implemented or the vulnerability is patched.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploit details are publicly available but require specific knowledge of the system and attack complexity is high.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.35.0

Vendor Advisory: Not specified in provided references

Restart Required: Yes

Instructions:

1. Upgrade Frappe LMS to the latest version. 2. Verify the fix by checking that unpublished courses are no longer accessible via the vulnerable endpoint.

🔧 Temporary Workarounds

Restrict access to /courses/ endpoint

all

Implement network-level or application-level access controls to restrict unauthorized access to the /courses/ endpoint.

Disable unpublished course functionality

all

Temporarily disable the unpublished course handler component until patching can be completed.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the Frappe LMS instance from untrusted networks.
  • Deploy a web application firewall (WAF) with rules to detect and block unauthorized access attempts to the /courses/ endpoint.

🔍 How to Verify

Check if Vulnerable:

Check if running Frappe LMS version 2.35.0 and test if unpublished courses are accessible via the /courses/ endpoint without proper authorization.

Check Version:

Check Frappe LMS version in application settings or via the admin interface.

Verify Fix Applied:

After upgrading, verify that unpublished courses are no longer accessible without proper authentication and authorization.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /courses/ endpoint
  • Multiple failed authentication attempts followed by successful access to unpublished courses

Network Indicators:

  • Unusual traffic patterns to /courses/ endpoint from unauthorized IP addresses

SIEM Query:

source="frappe_lms" AND (url_path="/courses/" AND (user="anonymous" OR auth_status="failed"))

📊 Metadata

CVE ID: CVE-2025-11281
CVSS v3 Score: 5.0 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-266
EPSS Score: 0.06% exploit probability (17.7th percentile)
Published: October 5, 2025
Last Updated: October 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11281, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)