CVE-2025-11281: 
NixOS vulnerability analysis and mitigation

A vulnerability has been discovered in Frappe LMS version 2.35.0 affecting the unpublished course handler component. The vulnerability allows unauthorized access to unpublished courses through improper access controls in the /courses/ functionality. The issue was disclosed on October 5, 2025, and has been assigned CVE-2025-11281 (NVD).

The vulnerability stems from improper access control implementation in the course visibility mechanism. While courses are hidden from the visual listing when unpublished, their pages remain accessible via direct URL. The vulnerability has a CVSS v3.1 base score of 5.0 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L, indicating network accessibility with high attack complexity and low privileges required (NVD).

The vulnerability allows unauthenticated users to view course metadata of unpublished courses, while authenticated users with LMS Student role can access full course content and submit assignments for unpublished courses. This creates a confidentiality risk where draft or incomplete course materials may be unintentionally exposed (GitHub Gist).

The recommended mitigation is to apply strict access controls to unpublished courses, ensuring that both course content and metadata are completely inaccessible unless the 'Published' flag is set. Access permissions should be validated at the controller level, not just in the UI display logic (GitHub Gist).