CVE-2026-24671
Stored XSS in Open eClass Allows Malicious Script Injection
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gunet | open_eclass_platform | to 4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Stored Cross-Site Scripting (XSS) vulnerability in Open eClass allows high-privileged users to inject malicious JavaScript that can execute when other users access affected pages. This can lead to session hijacking, unauthorized actions, or broader account compromise, impacting the confidentiality and integrity of user data.
Such impacts on confidentiality and integrity could potentially affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access or disclosure.
However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.
Can you explain this vulnerability to me?
CVE-2026-24671 is a Stored Cross-Site Scripting (XSS) vulnerability in the Open eClass platform versions up to 4.1. It allows authenticated high-privileged users, such as teachers or administrators, to inject malicious JavaScript code into multiple user-controllable input fields across the application.
These input fields include course document metadata, file names, course titles, course codes, grader comments, and attendance titles. The vulnerability arises because the application fails to properly sanitize or encode user-supplied input before rendering it in HTML contexts.
When other users access the affected pages, such as the course documents list, the injected JavaScript executes, potentially leading to harmful effects.
How can this vulnerability impact me? :
This vulnerability can lead to session hijacking, unauthorized actions, or broader account compromise when malicious JavaScript injected by a high-privileged user executes in the context of other users viewing affected pages.
Because the attack requires high privileges and user interaction, an attacker with appropriate access can exploit this to steal sensitive information or perform actions on behalf of other users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if user-controllable input fields in Open eClass versions up to 4.1 allow injection of malicious JavaScript code that executes when accessed by other users.
A practical detection method involves logging in as a high-privileged user (teacher or administrator) and injecting a JavaScript payload, such as `<img src=x onerror=alert(document.cookie)>`, into input fields like document titles, course titles, course codes, grader comments, or attendance titles.
After injection, access the affected pages (e.g., course documents list) as a different user to observe if the script executes, indicating the presence of the vulnerability.
There are no specific network or system commands provided in the resources for automated detection.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Open eClass to version 4.2 or later, where this Stored Cross-Site Scripting vulnerability has been patched.
Until the upgrade is applied, restrict high-privileged user access to trusted personnel only, as the vulnerability requires authenticated high-privileged users to inject malicious scripts.
Additionally, monitor and sanitize user inputs manually where possible to reduce the risk of malicious script injection.