Executive Summary

CVE-2026-24674 is a Reflected Cross-Site Scripting (XSS) vulnerability in the Open eClass platform versions prior to 4.2. It occurs because certain HTTP GET endpoints do not properly validate or encode user input, allowing attackers to inject malicious JavaScript code.

An attacker can craft malicious URLs containing JavaScript payloads and trick authenticated users into visiting them. When the victim visits such a URL, the injected script executes in their browser within the context of their authenticated session.

This vulnerability affects endpoints like /modules/announcements/myannouncements.php, /modules/admin/listusers.php, and /main/system_announcements.php. It was patched in version 4.2 of Open eClass.

Useful 0 Not Useful 0

Compliance Impact

The Reflected Cross-Site Scripting (XSS) vulnerability in Open eClass allows attackers to execute arbitrary JavaScript in the context of authenticated users, potentially leading to theft of sensitive information such as session cookies and unauthorized actions like session hijacking.

Such unauthorized access and exposure of sensitive data can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could lead to violations of confidentiality and integrity requirements mandated by these regulations, increasing the risk of non-compliance.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of authenticated users, potentially leading to theft of sensitive information such as session cookies.

With stolen session cookies, attackers may hijack user sessions and perform unauthorized actions on behalf of the victim.

The attack requires the victim to click a malicious link, and the overall severity is moderate with a CVSS score of 4.7.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the affected endpoints for reflected Cross-Site Scripting (XSS) by sending crafted HTTP GET requests containing JavaScript payloads and observing if the payload is reflected and executed in the response.'}, {'type': 'list_item', 'content': 'Test the following endpoints with payloads in the URL parameters to see if the script is reflected:'}, {'type': 'list_item', 'content': "http://<eclass_server>/modules/announcements/myannouncements.php?test'alert(document.cookie)-'test=1"}, {'type': 'list_item', 'content': "http://<eclass_server>/modules/admin/listusers.php?test'alert(document.cookie)-'test=1"}, {'type': 'list_item', 'content': "http://<eclass_server>/main/system_announcements.php?localize=test'alert(document.cookie)-'test"}, {'type': 'paragraph', 'content': 'You can use command-line tools like curl or wget to send these requests and inspect the responses for reflected scripts.'}, {'type': 'list_item', 'content': 'Example curl command to test an endpoint: curl -i "http://<eclass_server>/modules/announcements/myannouncements.php?test\'alert(document.cookie)-\'test=1"'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Open eClass platform to version 4.2 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict access to the affected endpoints and educate users to avoid clicking on suspicious or untrusted links that could exploit this reflected XSS vulnerability.

Additionally, consider implementing web application firewall (WAF) rules to detect and block malicious payloads targeting these endpoints.

Useful 0 Not Useful 0