| タイトル | Selleo Labs Sp. z o.o. Mentingo learn-v2025.08.27 Cross Site Scripting |
|---|
| 説明 | Attack Vector: Web Application
Impact: Privilege Escalation
Brief Description: Stored XSS in course description field leading to admin privilege escalation
The LMS platform allows content creators or administrators to create new courses. The course description field does not sanitize or escape HTML input, which permits injection of malicious JavaScript.
The injected JavaScript executes immediately even as one is typing, after saving it, every time any user (student, content creator, or admin) visits the global courses catalogue view. The payload is triggered globally without requiring the victim to open the specific malicious course.
Depending on the payload and victim's role:
1. Student victim → attacker can silently enroll them in an attacker-controlled course via a forged `POST /api/course/enroll-course` request.
2. Admin victim → attacker can forge a `POST /api/user` request to provision a new administrative account, under the attacker’s control. The attacker then receives an activation email and sets a password, gaining persistent full administrative access to the platform. |
|---|
| ソース | ⚠️ https://gist.github.com/KhanMarshaI/584ae9d7ba8578ac040a0f89597fc3c1 |
|---|
| ユーザー | KhanMarshal (UID 89610) |
|---|
| 送信 | 2025年08月29日 00:09 (8 月 ago) |
|---|
| モデレーション | 2025年09月13日 11:40 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 323823 [Selleo Mentingo 2025.08.27 Create New Course Basic Settings enroll-course 説明 クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|