Frappe LMS 漏洞 CVE-2026-39415: 测验成绩篡改风险

CVE-2026-39415 影响 Frappe Learning Management System (LMS) 的 2.46.0 之前的版本。此漏洞允许学生在提交之前修改测验分数。这是因为该应用程序目前依赖于客户端计算的分数，这些分数可以使用浏览器开发者工具在发送提交请求之前进行修改。虽然此漏洞不允许修改其他用户的数据或提升权限，但它会损害测验分数的完整性和评估的有效性。

Educational institutions and organizations utilizing Frappe Learning Management System (LMS) versions 1.0.0 through 2.46.0 are at risk. Specifically, courses relying heavily on quizzes for assessment are particularly vulnerable. Organizations with limited security expertise or those who have not implemented robust code review processes are also at higher risk.

• Generic Web: Check the Frappe LMS application code for client-side score calculations without server-side validation. Use curl to inspect API endpoints related to quiz submissions for potential vulnerabilities. • php: Examine PHP code for functions related to quiz score calculation and submission. Look for instances where client-side data is directly used without validation. Use grep to search for keywords like $_POST and score in relevant files. • Database (MySQL): Query the database for suspicious quiz score entries that deviate significantly from expected ranges or patterns. Use a query like SELECT score FROM quiz_results WHERE score > 100 OR score < 0;

1. 2026-04-08Disclosure

   disclosure

1. 已保留2026-04-07
2. 发布日期2026-04-08
3. 修改日期2026-04-09
4. EPSS 更新日期2026-04-16

此漏洞的解决方案是升级到 Frappe LMS 的 2.46.0 或更高版本。此版本包含修复程序，可在服务器端验证测验分数，从而防止客户端操作。建议尽快应用此更新，以保护评估的完整性和对学习成果的信任。此外，请审查评估策略和实践，以补充更新并确保安全可靠的学习环境。