| 제목 | Frappe Frappe LMS 2.35.0 Cross Site Scripting |
|---|
| 설명 | FRAPPE LMS 2.35.0 – CROSS-SITE SCRIPTING VIA MALICIOUS FILE UPLOAD
SUMMARY
Frappe LMS version 2.35.0 is vulnerable to a file upload flaw that enables stored cross-site scripting (XSS).
The application incorrectly handles uploaded HTML and SVG files. Although the UI shows visual error messages, malicious files can still be uploaded and later executed in users’ browsers.
VULNERABILITY DETAILS
The file upload feature allows users to bypass file-type restrictions by switching from “Image Files” to “All Files” and uploading crafted payloads.
While the platform presents a visual error, the files are still saved, and references to them can be accessed.
When other users or administrators view the uploaded file, arbitrary JavaScript payloads execute in their browser.
This issue allows attackers to steal session data, impersonate users, and escalate privileges.
STEPS TO REPRODUCE
1. Log in as administrator.
Navigate to:
http://127.0.0.1:8000/app/user?enabled=1
2. Create a student account.
- Add a new user.
- Assign the role: LMS Student
3. Create an assignment.
- Go to: http://127.0.0.1:8000/lms/assignments
- Create a new assignment with type set to Text
4. Create a course and attach the assignment.
- Navigate to: http://127.0.0.1:8000/lms/courses
- Create a course.
- Add a chapter and attach the assignment.
- Publish the course (optional, the issue persists even if unpublished).
5. Log in as the student user.
- Open the course assignment page:
http://127.0.0.1:8000/lms/courses/MyGrandCourse/learn/2-1
6. Upload a malicious file.
- In the editor, click the Image icon to browse files.
- Switch file type filter from Image Files → All Files.
- Upload a crafted HTML payload (example: https://gist.github.com/0xHamy/44ea8308361cc0e5c84666118167e1af).
Note: An error appears, but the file is still saved.
7. Trigger the payload.
- Click Save in the editor.
- Add a caption (e.g., x) when prompted.
- An invalid image icon will appear — right-click it and open in a new tab.
8. Set up a server to capture data.
- Host a PHP listener, such as: https://gist.github.com/0xHamy/827831b5e3f26b1fd715a5c1aeaa58bd
- When the malicious file is opened, sensitive data such as user email, administrator status, and full name are exfiltrated to the attacker’s server.
9. Alternative vector: SVG uploads.
- SVG files can also be uploaded in the same way.
- Although CVE-2025-55006 claimed to address this, the patch only prevents visual rendering errors and does not properly enforce backend validation.
IMPACT
- Stored XSS: Malicious JavaScript executes in the browsers of users or administrators viewing the uploaded file.
- Data exfiltration: Sensitive information (user email, admin status, full name) can be stolen.
- Account compromise: Session hijacking and privilege escalation are possible.
- Persistence: Since payloads remain stored in the application, any future viewer can be compromised.
This vulnerability poses a high risk to the confidentiality and integrity of user accounts and application data.
RECOMMENDATION
- Enforce strict server-side validation of uploaded file types.
- Reject non-image files at the backend, not just through the UI.
- Sanitize and neutralize SVG/HTML uploads or disallow them entirely.
- Implement Content Security Policy (CSP) headers to mitigate XSS impact.
AFFECTED VERSION
- Frappe LMS v2.35.0
CREDITS
Reported by:
- 0xHamy (https://github.com/0xHamy)
- KhanMarshaI (https://github.com/KhanMarshaI)
|
|---|
| 원천 | ⚠️ https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544 |
|---|
| 사용자 | 0xHamy (UID 88518) |
|---|
| 제출 | 2025. 09. 21. PM 09:33 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 04. AM 11:23 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 327016 [Frappe LMS 2.34.x/2.35.0 Incomplete Fix CVE-2025-55006 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|