CVE-2025-11282
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11282
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frappe learning From 2.34.0 (inc) to 2.35.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11282 is a stored cross-site scripting (XSS) vulnerability in Frappe LMS versions 2.34.x and 2.35.0. It occurs because the application improperly handles uploaded HTML and SVG files, allowing attackers to bypass file-type restrictions by switching the file filter from "Image Files" to "All Files" and uploading malicious payloads. Although the user interface shows error messages, these files are still saved on the server. When users or administrators view these files, arbitrary JavaScript executes in their browsers, enabling attackers to steal sensitive information such as user emails, administrator status, and full names. This can lead to session hijacking, user impersonation, and privilege escalation. The vulnerability is an incomplete fix of a previous issue (CVE-2025-55006) and persists due to insufficient backend validation. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in the browsers of users or administrators who view the malicious uploaded files. This can lead to theft of sensitive data such as email addresses, administrator status, and full names. Consequently, attackers can hijack sessions, impersonate users, escalate privileges, and maintain persistent access to the system. The stored nature of the XSS means the risk remains as long as the malicious files exist on the server, threatening user confidentiality and application integrity. [1, 3]

Detection Guidance

This vulnerability can be detected by monitoring for malicious HTML or SVG file uploads that bypass file-type restrictions in Frappe LMS 2.35.0. Detection involves checking for files uploaded with the file filter switched from "Image Files" to "All Files" and verifying if such files are saved despite error messages. You can also look for suspicious JavaScript execution when viewing uploaded files. Specific commands are not provided in the resources, but monitoring file uploads and reviewing server logs for unexpected HTML or SVG files, as well as inspecting user activity related to assignment uploads, can help detect exploitation attempts. [1, 3]

Mitigation Strategies

Immediate mitigation steps include enforcing strict server-side validation to reject non-image files, sanitizing or disallowing HTML and SVG file uploads, and implementing Content Security Policy (CSP) headers to reduce the impact of cross-site scripting attacks. Additionally, upgrading Frappe LMS to a fixed version that addresses this vulnerability is recommended. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11282. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart