CVE-2025-15134
Cross-Site Scripting in yourmaileyes MOOC Submission Handler
Publication date: 2025-12-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yourmaileyes | mooc | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw in the yourmaileyes MOOC software (up to version 1.17) affecting the subreview function in the file mooc/controller/MainController.java within the Submission Handler component. It allows an attacker to perform cross-site scripting (XSS) by manipulating the 'review' argument. The attack can be initiated remotely, and an exploit has been publicly released.
How can this vulnerability impact me? :
The vulnerability can lead to cross-site scripting attacks, which may allow attackers to inject malicious scripts into web pages viewed by other users. This can result in unauthorized actions performed on behalf of users, potential theft of session tokens or other sensitive information, and a general compromise of user trust and application integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the comment submission functionality of yourmaileyes MOOC version up to 1.17 for stored Cross-Site Scripting (XSS) flaws. You can attempt to submit a comment containing a typical XSS payload such as `<script>alert('xss')</script>` to the `/subreview` endpoint with appropriate parameters (e.g., courseid). If the script executes when viewing the comment, the vulnerability is present. For example, you can use curl to send a POST request: curl -X POST -d "courseid=3&context=<script>alert('xss')</script>" https://yourmaileyes.example.com/subreview Monitoring HTTP traffic for such payloads or scanning with web vulnerability scanners that detect stored XSS can also help identify the issue. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting the comment submission functionality to prevent malicious input until a patch or fix is available. Since no known countermeasures or patches have been provided by the project, consider replacing the affected component with an alternative product. Additionally, implement input validation and output encoding to sanitize user inputs in the `subreview` function to prevent script injection. Applying web application firewalls (WAF) rules to block typical XSS payloads can also reduce risk temporarily. [1, 2, 3]