CVE-2025-10388
BaseFortify
Publication date: 2025-09-14
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| selleo | mentingo | 2025.08.27 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10388 is a stored Cross-Site Scripting (XSS) vulnerability in Selleo Mentingo 2025.08.27, specifically in the course description field of the Create New Course Basic Settings component. The Description argument does not properly sanitize or escape HTML input, allowing attackers to inject malicious JavaScript code. This malicious script executes automatically when any user views the global courses catalogue, potentially affecting students, content creators, or administrators. The vulnerability can be exploited remotely and the exploit code is publicly available. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to privilege escalation and persistent control over the LMS platform. For students, attackers can silently enroll them into attacker-controlled courses by forging enrollment requests. For administrators, attackers can create new administrative accounts by exploiting the XSS payload that triggers API calls to create users, allowing the attacker to gain full administrative access. This can result in unauthorized access, manipulation of platform data, and control over the system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious POST requests to the endpoint /api/course/enroll-course with manipulated Description parameters containing malicious scripts. Additionally, monitoring for unauthorized POST requests to /api/user that create new admin accounts can indicate exploitation. Commands to detect such activity could include using network traffic analysis tools like tcpdump or Wireshark to filter POST requests to these endpoints, for example: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' and grep for /api/course/enroll-course or /api/user. Web server logs can be searched with commands like grep 'POST /api/course/enroll-course' /var/log/nginx/access.log or grep 'POST /api/user' /var/log/nginx/access.log to identify suspicious requests containing script tags or unusual payloads. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the vulnerable functionality related to the /api/course/enroll-course endpoint, especially the Description field input, until a patch or fix is available. Implement input validation and sanitization to prevent injection of malicious scripts in the Description parameter. Monitor and restrict API access to prevent unauthorized POST requests to /api/user that could create admin accounts. Consider applying web application firewalls (WAF) rules to block suspicious payloads targeting these endpoints. Since no vendor patch or official mitigation is available, consider limiting user privileges and access to the LMS platform and reviewing logs for signs of exploitation. If possible, consider using alternative products or versions not affected by this vulnerability. [1, 3]