CVE-2025-67259

Name of the Vulnerable Software and Affected Versions ClassroomIO version 0.1.13

Description Broken Access Control allows an authenticated low-privileged student user to access unauthorized course-level information. By modifying intercepted API requests—specifically changing a captured POST request to a GET request against the '/rest/v1/course' PostgREST endpoint—sensitive data is disclosed. This information includes details of other students, tutor and admin profiles, and internal course metadata.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.