Description
Classroomio LMS version 0.1.13 suffers from multiple insecure direct object reference vulnerabilities...
Basic Information
ID
PACKETSTORM:212008
Published
Nov 25, 2025 at 00:00
Affected Product
Affected Versions
# CVE-2025-65670
An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India.
**Affected Product: ClassroomIO**
* Affected Version: 0.1.13
* **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India**
## Vulnerability Details
Insecure Direct Object Reference / Broken Access Control
# Summary
This vulnerability allows a student-level user to momentarily access privileged admin-only endpoints by directly manipulating course IDs in the URL. Due to missing authorization checks and improper access validation, sensitive course analytics, attendance records, submissions, people lists, and marks become exposed before the system reverts to enforcing restrictions. This brief but critical information disclosure constitutes an IDOR-based Broken Access Control issue and can lead to leakage of sensitive administrative and student data.
## Steps to Reproduce
Login as Admin
1. Create and publish a course with enrolled students.
2. Access admin endpoints for the course e.g..
courses/<course-ID>/analytics, courses/<course-ID>/attendance, courses/<course-ID>/submissions, courses/<course-ID>/people, courses/<course-ID>/marks,
3. Admin can view expected data.
Login as Student
4. Join the course via Explore
5. Verify Students cannot see admin in the UI
6. Find the course ID (e.g. by inspecting course lessons URL).
7. Manually access the admin endpoints by crafting URLs such as:
courses/<course-ID>/analytics, courses/<course-ID>/attendance, courses/<course-ID>/submissions, courses/<course-ID>/people, courses/<course-ID>/marks,
8. The system responds with data meant only for Admin/Teacher roles momentarily, leaking sensitive information before reverting to restricting access.
# Acknowledgement
This vulnerability was discovered and responsibly reported by:
**Rivek Raj Tamang (RivuDon) from Sikkim, India**
https://www.linkedin.com/in/rivektamang/
https://rivudon.medium.com/
-------------------
# CVE-2025-65672
Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.
**Affected Product: ClassroomIO**
* Affected Version: 0.1.13
* **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India**
## Vulnerability Details
Insecure Direct Object Reference (IDOR) / Broken Access Control
# Summary
ClassroomIO version 0.1.13 contains an IDOR vulnerability that allows a student (non-privileged user) to access restricted Course Settings, specifically the Share and Invite management interfaces.
This flaw arises due to improper authorization checks on sensitive endpoints, enabling privilege escalation and unauthorized course manipulation.
## Steps to Reproduce
1. Create Course (Admin)
2. Log in as an Admin and create/publish a new course.
3. Student View
Log in as a Student.
Navigate to the course using the Explore page.
Note the course ID in the URL.
5. Access Restricted Pages Directly
Replace {course-id} with a valid course ID and visit:
/courses/{course-id}/settings#share
/courses/{course-id}/people?add=true
7. Observe the Impact
The student is able to access:
Share Settings
Invite/People Management Panel
These actions are meant only for the course admin, but due to missing access checks, the student gains unauthorized control.
# Acknowledgement
This vulnerability was discovered and responsibly reported by:
**Rivek Raj Tamang (RivuDon) from Sikkim, India**
https://www.linkedin.com/in/rivektamang/
https://rivudon.medium.com/
An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India.
**Affected Product: ClassroomIO**
* Affected Version: 0.1.13
* **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India**
## Vulnerability Details
Insecure Direct Object Reference / Broken Access Control
# Summary
This vulnerability allows a student-level user to momentarily access privileged admin-only endpoints by directly manipulating course IDs in the URL. Due to missing authorization checks and improper access validation, sensitive course analytics, attendance records, submissions, people lists, and marks become exposed before the system reverts to enforcing restrictions. This brief but critical information disclosure constitutes an IDOR-based Broken Access Control issue and can lead to leakage of sensitive administrative and student data.
## Steps to Reproduce
Login as Admin
1. Create and publish a course with enrolled students.
2. Access admin endpoints for the course e.g..
courses/<course-ID>/analytics, courses/<course-ID>/attendance, courses/<course-ID>/submissions, courses/<course-ID>/people, courses/<course-ID>/marks,
3. Admin can view expected data.
Login as Student
4. Join the course via Explore
5. Verify Students cannot see admin in the UI
6. Find the course ID (e.g. by inspecting course lessons URL).
7. Manually access the admin endpoints by crafting URLs such as:
courses/<course-ID>/analytics, courses/<course-ID>/attendance, courses/<course-ID>/submissions, courses/<course-ID>/people, courses/<course-ID>/marks,
8. The system responds with data meant only for Admin/Teacher roles momentarily, leaking sensitive information before reverting to restricting access.
# Acknowledgement
This vulnerability was discovered and responsibly reported by:
**Rivek Raj Tamang (RivuDon) from Sikkim, India**
https://www.linkedin.com/in/rivektamang/
https://rivudon.medium.com/
-------------------
# CVE-2025-65672
Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.
**Affected Product: ClassroomIO**
* Affected Version: 0.1.13
* **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India**
## Vulnerability Details
Insecure Direct Object Reference (IDOR) / Broken Access Control
# Summary
ClassroomIO version 0.1.13 contains an IDOR vulnerability that allows a student (non-privileged user) to access restricted Course Settings, specifically the Share and Invite management interfaces.
This flaw arises due to improper authorization checks on sensitive endpoints, enabling privilege escalation and unauthorized course manipulation.
## Steps to Reproduce
1. Create Course (Admin)
2. Log in as an Admin and create/publish a new course.
3. Student View
Log in as a Student.
Navigate to the course using the Explore page.
Note the course ID in the URL.
5. Access Restricted Pages Directly
Replace {course-id} with a valid course ID and visit:
/courses/{course-id}/settings#share
/courses/{course-id}/people?add=true
7. Observe the Impact
The student is able to access:
Share Settings
Invite/People Management Panel
These actions are meant only for the course admin, but due to missing access checks, the student gains unauthorized control.
# Acknowledgement
This vulnerability was discovered and responsibly reported by:
**Rivek Raj Tamang (RivuDon) from Sikkim, India**
https://www.linkedin.com/in/rivektamang/
https://rivudon.medium.com/