CVE-2025-65670

Name of the Vulnerable Software and Affected Versions classroomio version 0.1.13

Description An Insecure Direct Object Reference (IDOR) exists in classroomio version 0.1.13. This allows students to access sensitive admin and teacher endpoints by manipulating course IDs in URLs. This can lead to the unauthorized disclosure of sensitive course, admin, and student data. The data leak is temporary, occurring before the system restricts access. The affected API endpoints are accessed by manipulating the course ID parameter in the URL.

Recommendations Apply a fix to properly validate access controls for admin and teacher endpoints, preventing unauthorized access based on manipulated course IDs.