Executive Summary

CVE-2026-35169 is a high-severity reflected cross-site scripting (XSS) vulnerability in the help_editor module of the LORIS software, affecting versions from 15.10 up to 28.0.0.

The vulnerability occurs because the module does not properly sanitize certain user-supplied input variables, such as parameters like `testName` and `subtest` used in retrieving help content.

An attacker can craft malicious links that, when followed by a user, execute arbitrary scripts in the victim’s browser (reflected XSS).

Additionally, the same input vector can be exploited to download arbitrary markdown files from the server if it is unpatched, due to insufficient validation of file paths when accessing help documentation files.

The vulnerability was fixed by enforcing proper content handling with a JSON content-type header, stricter file path validation using realpath and base directory checks, and modifying error messages to avoid disclosing file paths.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in LORIS allows reflected cross-site scripting (XSS) attacks and unauthorized downloading of markdown files, which can lead to unauthorized access and modification of sensitive data.

Such unauthorized access and potential data modification could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding confidentiality and integrity of personal and sensitive information.

Specifically, the high confidentiality and integrity impact indicated by the CVSS score suggests that this vulnerability could lead to breaches of protected data, thus violating regulatory requirements for data security and privacy.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized execution of scripts in a user's browser, which can lead to theft of sensitive information, session hijacking, or other malicious actions.

It also allows attackers to download arbitrary markdown files from the server, potentially exposing sensitive documentation or data.

The CVSS v3.1 score of 8.7 indicates a high severity with low attack complexity and low privileges required, meaning it is relatively easy for an attacker to exploit if a user is tricked into following a malicious link.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the help_editor module of LORIS for reflected cross-site scripting (XSS) by supplying crafted input parameters such as `testName` and `subtest` in URLs and observing if arbitrary scripts execute or if markdown files can be downloaded.

One approach is to manually or automatically send HTTP requests to the help content retrieval endpoints with malicious payloads in these parameters and check for script execution or unauthorized file downloads.

Specific commands are not provided in the resources, but typical detection methods include using tools like curl or wget to send crafted requests, or using web vulnerability scanners that test for reflected XSS.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading LORIS to version 27.0.3 or later, or 28.0.1 or later, where the vulnerability is fixed.

As a temporary workaround, disabling the help_editor module can prevent exploitation, although this may break inline help functionality.

The fix involves enforcing proper content-type headers, validating file paths strictly to prevent directory traversal, and modifying error messages to avoid disclosing sensitive information.

Useful 0 Not Useful 0