Compliance Impact

The Stored Cross-Site Scripting (XSS) vulnerability in Open eClass allows high-privileged users to inject malicious JavaScript that can execute when other users access affected pages. This can lead to session hijacking, unauthorized actions, or broader account compromise, impacting the confidentiality and integrity of user data.

Such impacts on confidentiality and integrity could potentially affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access or disclosure.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-24671 is a Stored Cross-Site Scripting (XSS) vulnerability in the Open eClass platform versions up to 4.1. It allows authenticated high-privileged users, such as teachers or administrators, to inject malicious JavaScript code into multiple user-controllable input fields across the application.

These input fields include course document metadata, file names, course titles, course codes, grader comments, and attendance titles. The vulnerability arises because the application fails to properly sanitize or encode user-supplied input before rendering it in HTML contexts.

When other users access the affected pages, such as the course documents list, the injected JavaScript executes, potentially leading to harmful effects.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to session hijacking, unauthorized actions, or broader account compromise when malicious JavaScript injected by a high-privileged user executes in the context of other users viewing affected pages.

Because the attack requires high privileges and user interaction, an attacker with appropriate access can exploit this to steal sensitive information or perform actions on behalf of other users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying if user-controllable input fields in Open eClass versions up to 4.1 allow injection of malicious JavaScript code that executes when accessed by other users.

A practical detection method involves logging in as a high-privileged user (teacher or administrator) and injecting a JavaScript payload, such as `<img src=x onerror=alert(document.cookie)>`, into input fields like document titles, course titles, course codes, grader comments, or attendance titles.

After injection, access the affected pages (e.g., course documents list) as a different user to observe if the script executes, indicating the presence of the vulnerability.

There are no specific network or system commands provided in the resources for automated detection.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Open eClass to version 4.2 or later, where this Stored Cross-Site Scripting vulnerability has been patched.

Until the upgrade is applied, restrict high-privileged user access to trusted personnel only, as the vulnerability requires authenticated high-privileged users to inject malicious scripts.

Additionally, monitor and sanitize user inputs manually where possible to reduce the risk of malicious script injection.

Useful 0 Not Useful 0