CVE-2021-47907
Persistent XSS in Rocket LMS Support Ticket Module
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rocket_lms | rocket_lms | 1.1 |
| rocket_soft | rocket_lms | to 1.1 (inc) |
| linux_kernel | linux_kernel | to 1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47907 is a persistent cross-site scripting (XSS) vulnerability found in Rocket LMS version 1.1, specifically in the support ticket module.
Authenticated users can exploit this flaw by injecting malicious script code through the title parameter of support tickets.
When other users view the message history of these tickets, the embedded HTML or JavaScript payloads execute in their browsers.
This can lead to session hijacking and phishing attacks.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to execute malicious scripts in their browsers when they view support ticket histories.
- Session hijacking: Attackers can steal session cookies to impersonate users.
- Phishing attacks: Malicious scripts can be used to trick users into revealing sensitive information.
Since the vulnerability requires authenticated access to inject scripts, it primarily affects users within the Rocket LMS environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the persistent cross-site scripting vulnerability in Rocket LMS 1.1, it is recommended to restrict or carefully monitor authenticated user input in the support ticket module, especially the title parameter.
Applying patches or upgrading to a version of Rocket LMS that addresses this vulnerability is advised.
Additionally, educating users about the risks of clicking on suspicious links or scripts in support tickets can help reduce the impact of potential attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Rocket LMS 1.1 allows authenticated users to inject malicious scripts that can execute in other users' browsers, enabling session hijacking and phishing attacks. Such attacks can lead to unauthorized access to user data and compromise user sessions.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to hijack sessions and perform phishing attacks could result in breaches of personal data confidentiality and integrity, which are critical requirements under these regulations.
Therefore, organizations using affected versions of Rocket LMS may face increased risk of non-compliance with data protection regulations due to potential unauthorized access and data exposure stemming from this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and inspecting support ticket submissions in Rocket LMS version 1.1 for malicious script injections in the title parameter.
One approach is to look for POST requests to the support ticket submission endpoint containing suspicious HTML or JavaScript payloads, such as <script> tags or event handlers like onload within image tags.
Example commands to detect such activity could include using network traffic inspection tools like tcpdump or Wireshark to capture HTTP POST requests to the support ticket endpoint and then searching for suspicious payloads.
- Use tcpdump to capture HTTP POST requests to the support ticket endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /support/ticket'
- Search captured traffic or logs for suspicious script tags or event handlers, for example: grep -iE '<script|onload' captured_traffic.log
Additionally, reviewing application logs for unusual or unexpected input in the title parameter of support tickets can help identify exploitation attempts.