CVE-2020-37114

GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students' uploaded assessments, due to improper access controls and information disclosure flaws in various modules. Attackers can...

CVE-2025-61148

An Insecure Direct Object Reference IDOR vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'recno' parameter in the /student/get-receipt endpoint...

CVE-2025-64705

Frappe Learning version range 2.0.0–2.40.9 suffers an information-disclosure vulnerability where users could view submissions from other students due to improper access control and direct URL access. The issue is fixed in version 2.41.0 by enforcing proper roles and redirecting direct URL access....

CVE-2025-64705 Frappe user was able to access the submission of other students

Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and redirecting if accessed vi...

EUVD-2025-35911

The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutorassignmentsubmit...

CVE-2023-34962

Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a student to arbitrarily access and modify another student's personal notes...