Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-65670 PoC — ClassroomIO.com 安全漏洞

Source
https://github.com/Rivek619/CVE-2025-65670
Associated Vulnerability
Title:ClassroomIO.com 安全漏洞 (CVE-2025-65670)
Description:ClassroomIO.com是ClassroomIO开源的一个教育平台。 ClassroomIO.com 0.1.13版本存在安全漏洞,该漏洞源于不安全的直接对象引用,可能导致学生通过操纵URL中的课程ID访问敏感管理员或教师端点。
Description
An (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints. Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India.
Readme
# CVE-2025-65670
An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India.

**Affected Product: ClassroomIO**
* Affected Version: 0.1.13
* **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India**

## Vulnerability Details
Insecure Direct Object Reference / Broken Access Control

# Summary
This vulnerability allows a student-level user to momentarily access privileged admin-only endpoints by directly manipulating course IDs in the URL. Due to missing authorization checks and improper access validation, sensitive course analytics, attendance records, submissions, people lists, and marks become exposed before the system reverts to enforcing restrictions. This brief but critical information disclosure constitutes an IDOR-based Broken Access Control issue and can lead to leakage of sensitive administrative and student data.

## Steps to Reproduce
Login as Admin

1. Create and publish a course with enrolled students.

2. Access admin endpoints for the course e.g..

courses/<course-ID>/analytics, courses/<course-ID>/attendance, courses/<course-ID>/submissions, courses/<course-ID>/people, courses/<course-ID>/marks, 

3. Admin can view expected data.

Login as Student

4. Join the course via Explore

5. Verify Students cannot see admin in the UI

6. Find the course ID (e.g. by inspecting course lessons URL).

7. Manually access the admin endpoints by crafting URLs such as:

courses/<course-ID>/analytics, courses/<course-ID>/attendance, courses/<course-ID>/submissions, courses/<course-ID>/people, courses/<course-ID>/marks, 

8. The system responds with data meant only for Admin/Teacher roles momentarily, leaking sensitive information before reverting to restricting access.



# Acknowledgement 

This vulnerability was discovered and responsibly reported by:

**Rivek Raj Tamang (RivuDon) from Sikkim, India** 

https://www.linkedin.com/in/rivektamang/

https://rivudon.medium.com/
File Snapshot

 [4.0K]  /data/pocs/626f162e6f2e186dddb26982e78001af3d0c85ed
└── [2.2K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.