CVE-2025-15134
Unknown Unknown - Not Provided
Cross-Site Scripting in yourmaileyes MOOC Submission Handler

Publication date: 2025-12-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in yourmaileyes MOOC up to 1.17. This affects the function subreview of the file mooc/controller/MainController.java of the component Submission Handler. Performing manipulation of the argument review results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-28
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15134
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yourmaileyes mooc *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a security flaw in the yourmaileyes MOOC software (up to version 1.17) affecting the subreview function in the file mooc/controller/MainController.java within the Submission Handler component. It allows an attacker to perform cross-site scripting (XSS) by manipulating the 'review' argument. The attack can be initiated remotely, and an exploit has been publicly released.

Impact Analysis

The vulnerability can lead to cross-site scripting attacks, which may allow attackers to inject malicious scripts into web pages viewed by other users. This can result in unauthorized actions performed on behalf of users, potential theft of session tokens or other sensitive information, and a general compromise of user trust and application integrity.

Detection Guidance

This vulnerability can be detected by testing the comment submission functionality of yourmaileyes MOOC version up to 1.17 for stored Cross-Site Scripting (XSS) flaws. You can attempt to submit a comment containing a typical XSS payload such as `<script>alert('xss')</script>` to the `/subreview` endpoint with appropriate parameters (e.g., courseid). If the script executes when viewing the comment, the vulnerability is present. For example, you can use curl to send a POST request: curl -X POST -d "courseid=3&context=<script>alert('xss')</script>" https://yourmaileyes.example.com/subreview Monitoring HTTP traffic for such payloads or scanning with web vulnerability scanners that detect stored XSS can also help identify the issue. [2]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting the comment submission functionality to prevent malicious input until a patch or fix is available. Since no known countermeasures or patches have been provided by the project, consider replacing the affected component with an alternative product. Additionally, implement input validation and output encoding to sanitize user inputs in the `subreview` function to prevent script injection. Applying web application firewalls (WAF) rules to block typical XSS payloads can also reduce risk temporarily. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15134. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart