CVE-2025-65670

Published: Nov 26, 2025Modified: Dec 3, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.

Affected (1)

Products: Classroomio: Classroomio

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Classroomio Classroomio	Version 0.1.13

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (3)

http://classroomio.com

Source: cve@mitre.org

Product

https://github.com/Rivek619/CVE-2025-65670

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/classroomio/classroomio

Source: cve@mitre.org

Product

Timeline

No history available yet.