CVE-2025-11280: 
NixOS vulnerability analysis and mitigation

A vulnerability has been discovered in Frappe LMS version 2.35.0, identified as CVE-2025-11280. The flaw affects the Assignment Picture Handler component, specifically the /files/ directory functionality. This vulnerability was disclosed on October 4, 2025, and allows unauthorized access to files that should be restricted. The vendor was informed about this issue along with three other security concerns, and while they confirmed the fixes, these are not mentioned in the GitHub release notes (GitHub Exploit, VulDB Entry).

The vulnerability is classified as a direct request vulnerability (CWE-425), where the web application fails to properly enforce authorization controls on restricted files. The attack complexity is rated as high with a CVSS v3.1 base score of 3.7 LOW (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). The vulnerability allows remote exploitation without requiring authentication (VulDB Entry, GitHub Exploit).

The vulnerability exposes files that should remain private between students and instructors to unauthorized access. Sensitive data in student submissions can be leaked, and the predictable nature of file paths makes enumeration attacks possible. This primarily affects the confidentiality of user data, as files uploaded through the system become publicly accessible (GitHub Exploit).

The recommended mitigation includes enforcing authentication and authorization checks on all file requests under the /files/ directory, ensuring that only authorized users (file owners and course instructors) can access assignment submissions, and storing uploaded files in a location that is not directly web-accessible. Files should only be served after proper permission verification (GitHub Exploit).