CVE-2025-64705 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Frappe Learning Management System (LMS). The flaw exists in versions starting from 2.0.0 up to but not including 2.41.0, where users with limited privileges could access submissions made by other students. This occurs due to improper enforcement of role-based access controls and lack of adequate redirection when accessing submission URLs directly. The vulnerability allows unauthorized disclosure of student submission data, violating confidentiality principles. The issue does not require authentication beyond a limited privilege user and does not need user interaction, making it remotely exploitable with low complexity. The vendor addressed the vulnerability in version 2.41.0 by implementing proper role checks and redirecting unauthorized access attempts to prevent exposure. No known exploits are reported in the wild as of the publication date. The CVSS v4.0 score is 1.3, reflecting low severity primarily due to limited impact scope and the requirement for at least limited privileges. However, the exposure of sensitive educational data can have compliance and privacy implications, especially in jurisdictions with strict data protection laws. The vulnerability highlights the importance of robust access control mechanisms in LMS platforms to protect student data confidentiality.

For European organizations, particularly educational institutions and training providers using Frappe LMS versions between 2.0.0 and 2.41.0, this vulnerability poses a risk of unauthorized disclosure of student submissions. Such exposure can lead to breaches of student privacy, potential violations of the EU General Data Protection Regulation (GDPR), and reputational damage. Although the vulnerability does not affect system integrity or availability, the confidentiality breach could undermine trust in the LMS platform and the institution's data handling practices. In regulated environments, this could trigger compliance audits or penalties. The impact is more pronounced in countries with stringent data protection enforcement and where educational data is considered highly sensitive. The vulnerability could also facilitate academic dishonesty if students access peers’ submissions, affecting the integrity of assessments indirectly. While no active exploitation is known, the ease of access via direct URLs without proper authorization checks increases the risk of opportunistic data exposure.

European organizations should immediately upgrade Frappe LMS to version 2.41.0 or later, where the vulnerability is fixed by enforcing proper role-based access controls and redirecting unauthorized access attempts. Until upgrading is possible, administrators should audit user permissions to minimize the number of users with submission access and monitor access logs for suspicious activity involving direct URL access to submissions. Implementing web application firewalls (WAFs) with rules to detect and block unauthorized access patterns to submission URLs can provide temporary protection. Additionally, organizations should conduct internal security reviews of LMS configurations and educate users about the risks of sharing direct URLs. Regularly applying security patches and maintaining an inventory of LMS versions deployed across the organization will help prevent similar issues. For compliance, documenting the mitigation steps and any data exposure incidents is advisable. Finally, consider integrating more granular access control mechanisms or multi-factor authentication for LMS access to reduce unauthorized data exposure risks.