CVE-2025-62158 LOW

CVE-2025-62158: Frappe had attachments made by students to their assignments of type Text set to public

Vendor Frappe
Product lms
Weakness CWE-200 · Info exposure
Published October 10, 2025
Last update October 10, 2025

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public. Anyone with the file URL could access these files without authentication. The issue has been fixed in version 2.38.0 by ensuring all student-uploaded assignment attachments are stored as private files by default.

Key dates

02Disclosure timeline

October 10, 2025 CVE published
October 10, 2025 Record updated