CVE-2025-62158 identifies a vulnerability in the Frappe Learning Management System (LMS) prior to version 2.38.0, where student-uploaded assignment attachments were inadvertently stored as public files. This storage misconfiguration meant that any individual with knowledge of the file URL could access these files without any authentication or authorization checks, leading to an exposure of sensitive student data. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The root cause was the default file storage setting that did not enforce privacy on uploaded attachments. The issue was corrected in version 2.38.0 by ensuring that all student-uploaded assignment files are stored as private by default, restricting access only to authorized users. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U) indicates that the vulnerability is remotely exploitable without authentication or user interaction, but the impact on confidentiality is low, and there is no impact on integrity or availability. No known exploits have been reported in the wild, suggesting limited active exploitation. The vulnerability primarily affects confidentiality by exposing potentially sensitive student data, such as personal documents or assignment content, to unauthorized parties who can guess or discover the file URLs. The scope is limited to organizations using affected versions of Frappe LMS, particularly educational institutions managing student assignments. Since the vulnerability does not allow modification or deletion of data, the overall risk is considered low but still significant for privacy compliance and data protection.

For European organizations, particularly educational institutions using Frappe LMS versions prior to 2.38.0, this vulnerability poses a risk to the confidentiality of student data. Exposure of student-uploaded files could lead to privacy violations, potential breaches of GDPR regulations, and reputational damage. Although the vulnerability does not affect data integrity or system availability, unauthorized access to sensitive educational content or personal information could result in compliance penalties and loss of trust. The impact is more pronounced in institutions with large student populations or those handling sensitive or regulated educational content. Since the vulnerability requires no authentication and no user interaction, any attacker with knowledge or discovery of file URLs can access the data, increasing the risk of data leakage. However, the absence of known exploits in the wild and the low CVSS score suggest that the threat is currently limited but should not be ignored given the sensitivity of educational data and regulatory environment in Europe.

1. Upgrade all Frappe LMS installations to version 2.38.0 or later immediately to ensure that student-uploaded files are stored as private by default. 2. Conduct a thorough audit of existing file storage permissions to identify and remediate any publicly accessible student files uploaded prior to the patch. 3. Implement access controls and monitoring on file storage systems to detect unauthorized access attempts. 4. Educate system administrators and LMS users about secure file handling practices and the importance of protecting student data. 5. Review and update data privacy policies to ensure compliance with GDPR and other relevant regulations, emphasizing secure storage of student information. 6. Consider implementing URL access logging and anomaly detection to identify potential unauthorized file access. 7. Regularly review LMS configurations and updates to prevent similar misconfigurations in the future.