CVE-2025-11280: 
NixOS vulnerability analysis and mitigation

A vulnerability has been discovered in Frappe LMS version 2.35.0, identified as CVE-2025-11280. The flaw affects the Assignment Picture Handler component, specifically in the /files/ directory functionality. This security issue was discovered in October 2025 and involves improper access controls that allow unauthorized access to files (GitHub POC, NVD).

The vulnerability stems from improper access control implementation in the file handling system. Files uploaded through the Assignment Picture Handler component are stored in the /files/ directory with direct URL access, lacking proper authentication checks. The vulnerability has been assigned a CVSS v4.0 score of 6.3 (Medium) and CVSS v3.1 score of 3.7 (Low), with attack vectors being network-accessible with high attack complexity (NVD).

The vulnerability allows unauthorized users to access private files and assignment submissions without authentication. Any files uploaded by students or instructors can be accessed by anyone who knows or can guess the file path. This exposure of sensitive academic materials could lead to privacy breaches and unauthorized access to student submissions (GitHub POC).

Security researchers recommend implementing authentication and authorization checks on all file requests under the /files/ directory. Additionally, uploaded files should be stored in a location that is not directly web-accessible, and file access should be mediated through a system that verifies user permissions. The vendor has been informed about this and other security issues, though specific patches are not yet mentioned in GitHub release notes (GitHub POC).