Lucene search
K
FrappeLearning

21 matches found

CVE
CVE
added 2023/09/21 4:37 p.m.95 views

CVE-2023-42807

CVE-2023-42807 affects Frappe LMS prior to the latest main branch. The vulnerability is an SQL injection in the People Page of the LMS (versions 1.0.0 and earlier). Root cause: unsafely constructed SQL on the People Page allowing data extraction/manipulation. Impact: high across confidentiality, ...

9.8CVSS8.4AI score0.00348EPSS
CVE
CVE
added 2023/10/12 10:32 a.m.56 views

CVE-2023-5555

CVE-2023-5555 is a Cross-site Scripting (XSS) vulnerability in Frappe LMS (frappe/lms) with XSS in the GitHub repository before 5614a6203fb7d438be8e2b1e3030e4528d170ec4. Connected sources identify the affected component as the LMS front-end/backend code handling user input such as search and tags...

7.1CVSS6.2AI score0.00442EPSS
CVE
CVE
added 2025/08/09 2:1 a.m.28 views

CVE-2025-55006

CVE-2025-55006 affects Frappe LMS 2.34.x/2.35.0. The issue stems from an incomplete fix for CVE-2025-55006, enabling cross-site scripting via manipulated input. Remote exploitation is described as possible; an exploit has been made public per connected sources. A remediation is to upgrade to a ve...

8.8CVSS7.6AI score0.00245EPSS
CVE
CVE
added 2025/10/05 4:32 a.m.21 views

CVE-2025-11282

CVE-2025-11282 affects Frappe LMS 2.34.x/2.35.0 due to an incomplete fix for CVE-2025-55006, enabling cross-site scripting via manipulated input. The vulnerability allows remote exploitation and an exploit has been publicized. The issue is linked to an unknown function in the affected component; ...

6.1CVSS4.2AI score0.00361EPSS
CVE
CVE
added 2025/10/10 8:5 p.m.19 views

CVE-2025-62158

Summary: Frappe Learning prior to version 2.38.0 stored student assignment attachments as public files, enabling unauthenticated access via file URLs. The underlying issue is the exposure of uploaded files through public storage. Affected products/versions: Frappe Learning,

6.9CVSS6.3AI score0.00268EPSS
CVE
CVE
added 2025/09/17 9:7 p.m.17 views

CVE-2025-59415

CVE-2025-59415 affects Frappe Learning, versions 2.34.1 and earlier, where profile bio content wasn’t properly sanitized. This allows malicious SVGs to execute scripts in other users’ contexts, per multiple sources. The vulnerability arises from inadequate content sanitization in profile bios. Re...

5.4CVSS6.8AI score0.00228EPSS
CVE
CVE
added 2026/02/11 9:32 p.m.17 views

CVE-2026-26031

The CVE describes a privacy flaw in Frappe Learning Management System (LMS) prior to version 2.44.0, where unauthorised users could retrieve the full list of enrolled students (by email) in batches. Affected software is the Frappe LMS prior to 2.44.0; the root cause is not explicitly detailed in ...

5.3CVSS5.5AI score0.00177EPSS
CVE
CVE
added 2025/10/05 5:2 a.m.16 views

CVE-2025-11283

CVE-2025-11283 affects Frappe LMS 2.35.0, specifically the Course Handler component. The vulnerability arises from manipulation of the Description argument in Course Handler, enabling cross-site scripting (XSS) via a remote attack. Public disclosures exist detailing the exploit. The recommended r...

4.8CVSS5.5AI score0.00379EPSS
CVE
CVE
added 2026/01/14 6:25 p.m.16 views

CVE-2026-23497

CVE-2026-23497 affects Frappe Learning Management System (LMS) up to and including version 2.44.0, where a stored XSS vulnerability arises from unsanitized image filenames rendered on course and jobs pages. The root cause is image filename handling that allows malicious JavaScript execution. The ...

5.4CVSS5.8AI score0.00142EPSS
CVE
CVE
added 2026/02/20 12:56 a.m.16 views

CVE-2026-26977

Frappe Learning Management System (LMS)

6.9CVSS5.5AI score0.00289EPSS
CVE
CVE
added 2025/10/27 9:19 p.m.15 views

CVE-2025-62779

Frappe Learning

5.4CVSS6.3AI score0.00168EPSS
CVE
CVE
added 2025/11/12 10:25 p.m.14 views

CVE-2025-64705

Frappe Learning version range 2.0.0–2.40.9 suffers an information-disclosure vulnerability where users could view submissions from other students due to improper access control and direct URL access. The issue is fixed in version 2.41.0 by enforcing proper roles and redirecting direct URL access....

5.3CVSS6.4AI score0.00191EPSS
CVE
CVE
added 2026/04/08 8:7 p.m.14 views

CVE-2026-39415

CVE-2026-39415 affects Frappe LMS prior to 2.46.0, where quiz scores could be altered client-side before submission due to reliance on client-side calculated scores. Impact: data integrity of quiz results is compromised; no confidentiality breach or privilege escalation reported. Remediation: upg...

5.3CVSS5.8AI score0.00262EPSS
CVE
CVE
added 2025/10/05 3:32 a.m.13 views

CVE-2025-11280

The CVE-2025-11280 vulnerability affects Frappe LMS 2.35.0, in the Assignment Picture Handler component’s /files/ area. It enables a remote, high-complexity manipulation of a direct request, with exploitability rated as difficult and the exploit published. Upgrade the affected component as remedi...

6.3CVSS6.1AI score0.00445EPSS
CVE
CVE
added 2025/10/05 4:2 a.m.13 views

CVE-2025-11281

CVE-2025-11281 affects Frappe LMS 2.35.0 and involves an unknown function in the /courses/ path of the Unpublished Course Handler, leading to improper access controls. The issue is exploitable remotely, with high attack complexity and low privileges required; exploitation is described as possible...

5CVSS6.4AI score0.00327EPSS
CVE
CVE
added 2025/10/27 9:16 p.m.13 views

CVE-2025-62778

CVE-2025-62778 affects Frappe Learning (LMS) prior to version 2.39.1. The issue allows students to access the Quiz Form directly via URL, implying unauthorized access to quiz content. Root cause and impact details are stated in multiple sources but no exploit specifics are provided. Mitigation re...

5.3CVSS6.3AI score0.00197EPSS
CVE
CVE
added 2025/12/12 7:23 a.m.13 views

CVE-2025-67730

CVE-2025-67730 affects Frappe Learning Management System (LMS). Details across sources show that versions prior to 2.42.0 allow authenticated users to inject malicious HTML and JavaScript via description fields in the Job, Course, and Batch forms, leading to cross-site scripting (XSS). The issue ...

5.4CVSS6AI score0.00144EPSS
CVE
CVE
added 2025/12/12 7:48 p.m.13 views

CVE-2025-67734

CVE-2025-67734 affects Frappe Learning Management System (LMS) prior to version 2.42.0. The vulnerability arises from the Company Website field in the Job Form, where an authenticated attacker can inject JavaScript, leading to a cross-site scripting (XSS) attack that executes in the browsers of u...

5.4CVSS5.5AI score0.00138EPSS
CVE
CVE
added 2025/11/12 10:27 p.m.12 views

CVE-2025-64707

Summary : CVE-2025-64707 affects Frappe Learning (LMS). From versions 2.0.0 up to and including 2.41.0, revoking a user’s role could be delayed in effect due to caching, meaning revoked permissions could persist briefly. This behavior has been fixed in version 2.41.0 by ensuring the cache is clea...

5.4CVSS6.4AI score0.00148EPSS
CVE
CVE
added 2025/12/05 6:26 p.m.12 views

CVE-2025-66581

Frappe LMS (versions before 2.41.0) has a server-side authorization flaw where endpoints relied on client-side checks, allowing authenticated low-privilege users (e.g., students) to perform actions outside their roles via the API. The issue is fixed in 2.41.0. Affected component: server-side perm...

6.5CVSS6.2AI score0.00181EPSS
CVE
CVE
added 2026/04/02 5:50 p.m.12 views

CVE-2026-34606

CVE-2026-34606 concerns Frappe LMS. The vulnerability is a stored XSS affecting Frappe LMS releases from version 2.27.0 up to 2.47.x (i.e., before 2.48.0). The issue has been patched in 2.48.0 . The provided sources do not supply exploit details, affected modules, or specific attack vectors beyon...

6.9CVSS5.8AI score0.00189EPSS