CVE-2025-67259
MEDIUM EPSS 11.5%
Published Apr 24, 20262mo ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago
Description
A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
11.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 2
CWE-284
CWE-285
References 2
- drive.google.com https://drive.google.com/file/d/1G_IjEURNBcaSmBo4FdOo_27q-4H9MV34/view?usp=drive_link
- github.com https://github.com/classroomio/classroomio/issues/642
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.