Compliance Impact

The Stored Cross-Site Scripting (XSS) vulnerability in Open eClass allows attackers to execute malicious scripts in the context of other users, potentially leading to session cookie theft and unauthorized actions. This can result in unauthorized access to personal data and compromise of user accounts.

Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and ensuring user privacy and security.

By allowing injection of malicious code into user profile fields, the vulnerability undermines the integrity and confidentiality of user data, which are key principles in these regulations.

The issue has been patched in version 4.2, so using the updated version mitigates these compliance risks.

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-24672 is a Stored Cross-Site Scripting (XSS) vulnerability in the Open eClass platform versions up to 4.1. It occurs because the application does not properly sanitize or encode user input in user profile fields, specifically the first name and last name attributes.'}, {'type': 'paragraph', 'content': 'Authenticated students can inject malicious JavaScript code into these profile fields. When users with viewing privileges, such as teachers or administrators, access the affected profile pages, the malicious script executes in their browser.'}, {'type': 'paragraph', 'content': "This vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). It has been patched in Open eClass version 4.2."}] [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to serious security impacts including theft of session cookies, unauthorized actions performed on behalf of the victim user, and compromise of user accounts.

Because the malicious script executes in the context of users with viewing privileges, attackers can potentially hijack sessions or perform actions with elevated permissions.

The CVSS v3.1 base score for this vulnerability is 7.3, indicating high severity with high confidentiality and integrity impacts, though no impact on availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to inject a JavaScript payload into the first name or last name fields of a user profile while logged in as an authenticated student. For example, injecting a payload such as `<img src=x onerror=alert(document.cookie)>` into these fields and then accessing the profile page with a user account that has viewing privileges (e.g., teacher or administrator) will trigger the script execution if the system is vulnerable.

There are no specific network or system commands provided to detect this vulnerability automatically. Detection involves manual testing of the user profile input fields for improper sanitization of JavaScript code.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Open eClass platform to version 4.2 or later, where this Stored Cross-Site Scripting vulnerability has been patched.

Until the upgrade can be performed, restrict authenticated student privileges to prevent them from modifying user profile fields, or implement input sanitization and validation on the server side to block malicious JavaScript code in profile fields.

Useful 0 Not Useful 0