Frappe Learning Management System Server-Side Authorization Flaw Allowing Role Escalation

A vulnerability in Frappe Learning Management System (LMS) versions prior to 2.41.0 allowed authenticated users to bypass their assigned roles and access features meant for higher-privileged users. This issue arose because the affected endpoints depended on client-side checks rather than enforcing permissions on the server. As a result, users with low-privileged roles, such as students, could exploit the API to perform actions reserved for instructors or administrators. The vulnerability has been addressed in version 2.41.0.

Impact

Exploitation of this vulnerability allowed low-privileged users to perform a variety of actions intended for instructors or administrators. These actions included enrolling in unpublished course batches, deleting sidebar pages, posting discussion messages in courses or batches where they were not enrolled, modifying course and batch metadata, generating course certificates without meeting completion requirements, sending batch-wide announcements to learners, and assigning badges to themselves and other users.

Remediation

Users can upgrade to Frappe LMS version 2.41.0 to address this vulnerability.