CVE-2025-12270

A vulnerability was determined in LearnHouse up to 98dfad76aad70711a8113f6c1fdabfccf10509ca. The impacted element is an unknown function of the file /api/v1/assignments/{assignment_id}/tasks/{task_id}/sub_file of the component Student Assignment Submission Handler. This manipulation causes improper control of resource identifiers. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://gist.github.com/KhanMarshaI/f71f86fbd5d8e8363f9113a8c054c28b	Exploit Third Party Advisory
https://vuldb.com/?ctiid.329942	Permissions Required VDB Entry
https://vuldb.com/?id.329942	Third Party Advisory VDB Entry
https://vuldb.com/?submit.674147	Third Party Advisory VDB Entry
https://gist.github.com/KhanMarshaI/f71f86fbd5d8e8363f9113a8c054c28b	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:learnhouse:learnhouse:*:*:*:*:*:*:*:*

History

31 Oct 2025, 20:17

Type	Values Removed	Values Added
CPE		cpe:2.3:a:learnhouse:learnhouse::::::::
CWE		CWE-639
First Time		Learnhouse Learnhouse learnhouse
References	~~() https://gist.github.com/KhanMarshaI/f71f86fbd5d8e8363f9113a8c054c28b -~~	() https://gist.github.com/KhanMarshaI/f71f86fbd5d8e8363f9113a8c054c28b - Exploit, Third Party Advisory
References	~~() https://vuldb.com/?ctiid.329942 -~~	() https://vuldb.com/?ctiid.329942 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.329942 -~~	() https://vuldb.com/?id.329942 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.674147 -~~	() https://vuldb.com/?submit.674147 - Third Party Advisory, VDB Entry

27 Oct 2025, 14:15

Type	Values Removed	Values Added
References	~~() https://gist.github.com/KhanMarshaI/f71f86fbd5d8e8363f9113a8c054c28b -~~	() https://gist.github.com/KhanMarshaI/f71f86fbd5d8e8363f9113a8c054c28b -

27 Oct 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-27 12:15

Updated : 2025-10-31 20:17

NVD link : CVE-2025-12270

Mitre link : CVE-2025-12270

CVE.ORG link : CVE-2025-12270

JSON object : View

Products Affected

learnhouse

learnhouse

CWE

CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

CWE-639

Authorization Bypass Through User-Controlled Key

4.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2025-12270

4.3^/10

4.0^/10

Attach tags to `CVE-2025-12270`