Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings. Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India.# CVE-2025-65672
Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.
**Affected Product: ClassroomIO**
* Affected Version: 0.1.13
* **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India**
## Vulnerability Details
Insecure Direct Object Reference (IDOR) / Broken Access Control
# Summary
ClassroomIO version 0.1.13 contains an IDOR vulnerability that allows a student (non-privileged user) to access restricted Course Settings, specifically the Share and Invite management interfaces.
This flaw arises due to improper authorization checks on sensitive endpoints, enabling privilege escalation and unauthorized course manipulation.
## Steps to Reproduce
1. Create Course (Admin)
2. Log in as an Admin and create/publish a new course.
3. Student View
Log in as a Student.
Navigate to the course using the Explore page.
Note the course ID in the URL.
5. Access Restricted Pages Directly
Replace {course-id} with a valid course ID and visit:
/courses/{course-id}/settings#share
/courses/{course-id}/people?add=true
7. Observe the Impact
The student is able to access:
Share Settings
Invite/People Management Panel
These actions are meant only for the course admin, but due to missing access checks, the student gains unauthorized control.
# Acknowledgement
This vulnerability was discovered and responsibly reported by:
**Rivek Raj Tamang (RivuDon) from Sikkim, India**
https://www.linkedin.com/in/rivektamang/
https://rivudon.medium.com/
[4.0K] /data/pocs/b0c73c1f58db8721e1d98e6775cd1dc8ed8be2d5
└── [1.5K] README.md
1 directory, 1 file