CVE-2025-32808

Name of the Vulnerable Software and Affected Versions: W. W. Norton InQuizitive versions through 2025-04-08

Description: The issue allows students to insert arbitrary records of their quiz performance into the backend due to the existence of only client-side access control. This is related to a client-side enforcement of server-side security, specifically CWE-602.

Recommendations: For W. W. Norton InQuizitive versions through 2025-04-08, consider disabling the functionality that allows students to insert records of their quiz performance into the backend until a patch is available. Restrict access to the backend to minimize the risk of exploitation. Avoid using the affected functionality in the API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.