Compliance Impact

[{'type': 'paragraph', 'content': "The stored Cross-Site Scripting (XSS) vulnerability in Open eClass allows attackers to execute malicious JavaScript in the context of instructors' browsers, potentially leading to session cookie theft and unauthorized actions. This can result in unauthorized access to sensitive information and compromise of user accounts."}, {'type': 'paragraph', 'content': 'Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and ensuring system security.'}, {'type': 'paragraph', 'content': 'Therefore, if exploited, this vulnerability could lead to violations of confidentiality and integrity requirements mandated by these standards, increasing the risk of non-compliance.'}] [1]

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-24665 is a stored Cross-Site Scripting (XSS) vulnerability in the Open eClass platform versions up to 4.1. It allows authenticated students to upload assignment files containing malicious JavaScript code. When instructors view these uploaded files, the malicious code executes in their browser.'}, {'type': 'paragraph', 'content': "This happens because the platform does not properly sanitize or restrict active content in uploaded files, leading to execution of harmful scripts in the context of the instructor's session."}, {'type': 'paragraph', 'content': 'The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and was patched in version 4.2.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts including theft of session cookies and unauthorized actions performed on behalf of the instructor.'}, {'type': 'list_item', 'content': 'An attacker (authenticated student) can inject malicious JavaScript into assignment files.'}, {'type': 'list_item', 'content': 'When an instructor views the malicious file, the script executes in their browser.'}, {'type': 'list_item', 'content': 'This can lead to exposure of sensitive data such as session cookies (confidentiality impact: high).'}, {'type': 'list_item', 'content': "It can also allow unauthorized actions to be performed with the instructor's privileges (integrity impact: high)."}, {'type': 'paragraph', 'content': 'The attack requires low complexity and only low privileges (authenticated student), but user interaction (instructor viewing the file) is needed.'}] [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying if authenticated students are able to upload HTML files containing embedded JavaScript code that executes when viewed by instructors.

A practical approach to detection involves the following steps:

• Authenticate as a student user.
• Create and upload an HTML file with embedded JavaScript, for example: `<script>alert(document.cookie)</script>`.
• Authenticate as an instructor.
• Navigate to the submitted assignment and open the uploaded file.

If the JavaScript executes in the instructor’s browser, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Open eClass platform to version 4.2 or later, where this vulnerability has been patched.

Until the upgrade is applied, consider restricting or disabling the ability for students to upload HTML or other files containing active content.

Additionally, instruct instructors to avoid opening suspicious assignment files that may contain malicious scripts.

Useful 0 Not Useful 0