← Back

Classroomio

classroomio

6 CVEs • 1 product

Products (1)

Click to collapse
Toggle
Classroomio
classroomio
6 CVEs

CVEs (6)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2025-67298
1Classroomio
1Classroomio
Apr 7, 2026
Mar 11, 2026
N/A· v4
8.1 HIGH· v3
N/A· v2
An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile
CVE-2025-65670
1Classroomio
1Classroomio
Dec 3, 2025
Nov 26, 2025
N/A· v4
4.3 MEDIUM· v3
N/A· v2
An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, a...Show more
An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.Show less
CVE-2025-65676
1Classroomio
1Classroomio
Dec 3, 2025
Nov 26, 2025
N/A· v4
5.4 MEDIUM· v3
N/A· v2
Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images.
CVE-2025-65675
1Classroomio
1Classroomio
Dec 5, 2025
Nov 26, 2025
N/A· v4
5.4 MEDIUM· v3
N/A· v2
Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures.
CVE-2025-65672
1Classroomio
1Classroomio
Dec 5, 2025
Nov 26, 2025
N/A· v4
7.5 HIGH· v3
N/A· v2
Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.
CVE-2025-65669
1Classroomio
1Classroomio
Dec 3, 2025
Nov 26, 2025
N/A· v4
9.1 CRITICAL· v3
N/A· v2
An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.