# CVE-2025-65670 An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India. **Affected Product: ClassroomIO** * Affected Version: 0.1.13 * **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India** ## Vulnerability Details Insecure Direct Object Reference / Broken Access Control # Summary This vulnerability allows a student-level user to momentarily access privileged admin-only endpoints by directly manipulating course IDs in the URL. Due to missing authorization checks and improper access validation, sensitive course analytics, attendance records, submissions, people lists, and marks become exposed before the system reverts to enforcing restrictions. This brief but critical information disclosure constitutes an IDOR-based Broken Access Control issue and can lead to leakage of sensitive administrative and student data. ## Steps to Reproduce Login as Admin 1. Create and publish a course with enrolled students. 2. Access admin endpoints for the course e.g.. courses//analytics, courses//attendance, courses//submissions, courses//people, courses//marks, 3. Admin can view expected data. Login as Student 4. Join the course via Explore 5. Verify Students cannot see admin in the UI 6. Find the course ID (e.g. by inspecting course lessons URL). 7. Manually access the admin endpoints by crafting URLs such as: courses//analytics, courses//attendance, courses//submissions, courses//people, courses//marks, 8. The system responds with data meant only for Admin/Teacher roles momentarily, leaking sensitive information before reverting to restricting access. # Acknowledgement This vulnerability was discovered and responsibly reported by: **Rivek Raj Tamang (RivuDon) from Sikkim, India** https://www.linkedin.com/in/rivektamang/ https://rivudon.medium.com/ ------------------- # CVE-2025-65672 Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings. **Affected Product: ClassroomIO** * Affected Version: 0.1.13 * **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India** ## Vulnerability Details Insecure Direct Object Reference (IDOR) / Broken Access Control # Summary ClassroomIO version 0.1.13 contains an IDOR vulnerability that allows a student (non-privileged user) to access restricted Course Settings, specifically the Share and Invite management interfaces. This flaw arises due to improper authorization checks on sensitive endpoints, enabling privilege escalation and unauthorized course manipulation. ## Steps to Reproduce 1. Create Course (Admin) 2. Log in as an Admin and create/publish a new course. 3. Student View Log in as a Student. Navigate to the course using the Explore page. Note the course ID in the URL. 5. Access Restricted Pages Directly Replace {course-id} with a valid course ID and visit: /courses/{course-id}/settings#share /courses/{course-id}/people?add=true 7. Observe the Impact The student is able to access: Share Settings Invite/People Management Panel These actions are meant only for the course admin, but due to missing access checks, the student gains unauthorized control. # Acknowledgement This vulnerability was discovered and responsibly reported by: **Rivek Raj Tamang (RivuDon) from Sikkim, India** https://www.linkedin.com/in/rivektamang/ https://rivudon.medium.com/