CVE-2025-11283
BaseFortify
Publication date: 2025-10-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frappe | learning | 2.35.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11283 is a stored cross-site scripting (XSS) vulnerability in Frappe LMS version 2.35.0, specifically in the course description field when accessed in instructor edit mode. The application does not properly sanitize user input in the course description, allowing an attacker with course creation or editing privileges to inject malicious JavaScript code. This code executes in the browsers of instructors or administrators who view the affected course in edit mode, potentially leading to session hijacking, privilege escalation, and data exfiltration such as cookies, user roles, and email addresses. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to persistent cross-site scripting attacks targeting privileged users like instructors and administrators. Exploitation can result in session hijacking, account takeover, privilege escalation, and exfiltration of sensitive data including cookies, user roles, and email addresses. Because the malicious script is stored in the course description, the risk persists whenever the course is edited or viewed in edit mode by authorized users. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious scripts injected into the course description field in Frappe LMS version 2.35.0, especially when accessed in instructor edit mode. Detection involves reviewing course descriptions for suspicious HTML or JavaScript payloads such as <img src=x onerror=alert(document.cookie)>. Since the exploit requires course creation or editing privileges, monitoring logs for unusual course creation or editing activities by users with the 'Course Creator' role can help. There is a publicly available proof-of-concept exploit that can be used to test the vulnerability. Specific commands are not provided in the resources, but manual inspection or automated scanning of course description fields for script tags or event handlers can be used. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the affected Frappe LMS component to a version where the vulnerability is fixed. Additionally, implement strict server-side input sanitization to neutralize dangerous HTML and JavaScript in course description fields. Use whitelist-based HTML filtering to allow only safe tags such as <p>, <b>, and <i>. Adding Content Security Policy (CSP) headers is also recommended to limit the impact of any injected scripts. Restrict course creation and editing privileges to trusted users only. [1, 3, 2]