CVE-2025-65670
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
An IDOR vulnerability in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in temporary unauthorized disclosure of sensitive course, admin, and student data before the system reverts to normal access restrictions.
Risk Assessment
The risk involves unauthorized access to administrative and other users' data, potentially compromising system confidentiality and leading to sensitive information leakage.
Recommendation
Immediately update classroomio to the latest patched version and implement authorization checks on all endpoints to prevent ID manipulation.
Original NVD description (English source)
An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.

