| 제목 | Frappe Frappe LMS 2.35.0 Improper Access Controls |
|---|
| 설명 | FRAPPE LMS 2.35.0 – IMPROPER ACCESS CONTROLS ALLOWING UNAUTHORIZED VIEWING OF UNPUBLISHED COURSES
SUMMARY
Frappe LMS version 2.35.0 allows unauthenticated users to access unpublished courses.
According to official documentation, courses should only be visible once published. However, by knowing the course name, anyone can directly access its page regardless of publication status.
VULNERABILITY DETAILS
Frappe’s intended behavior is that courses remain inaccessible until explicitly published.
Instead, courses are only hidden from the visual course listing, but their pages remain accessible via direct URL.
- For unauthenticated users: course metadata can be viewed.
- For authenticated users with the LMS Student role: full course content becomes visible, and assignments can be submitted even when the course is unpublished.
STEPS TO REPRODUCE
1. Log in as administrator.
2. Create a new course.
- Go to: http://127.0.0.1:8000/lms/courses
- Create a course.
3. Ensure the course is unpublished.
- In course settings, leave the “Published” checkbox unchecked.
4. Access the unpublished course.
- Log out, or open an incognito/private browser.
- Navigate directly to the course URL by using its name, for example:
http://127.0.0.1:8000/lms/courses/MyGrandCourse
5. Observe the results.
- As an unauthenticated user, you can still access the course page.
- If logged in as an LMS Student, you can view unpublished course content and even submit assignments.
IMPACT
- Confidentiality risk: unpublished courses are not properly restricted.
- Course authors may unintentionally expose drafts or incomplete material.
- Students can interact with courses that should not yet be available.
RECOMMENDATION
- Apply strict access controls to unpublished courses.
- Ensure that course content and metadata are completely inaccessible unless the “Published” flag is set.
- Validate access permissions at the controller level, not just in the UI display logic.
AFFECTED VERSION
- Frappe LMS v2.35.0
CREDITS
Reported by:
- 0xHamy (https://github.com/0xHamy)
- KhanMarshaI (https://github.com/KhanMarshaI)
|
|---|
| 원천 | ⚠️ https://gist.github.com/0xHamy/5ebd820ad30f33827011e9a614fb2f89 |
|---|
| 사용자 | 0xHamy (UID 88518) |
|---|
| 제출 | 2025. 09. 21. PM 09:27 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 04. AM 11:23 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 327015 [Frappe LMS 2.35.0 Unpublished Course /courses/ 권한 상승] |
|---|
| 포인트들 | 20 |
|---|