| Title | Frappe Frappe LMS 2.35.0 Cross Site Scripting |
|---|
| Description | FRAPPE LMS 2.35.0 – CROSS-SITE SCRIPTING VIA COURSE DESCRIPTION (INSTRUCTOR EDIT MODE)
SUMMARY
Frappe LMS version 2.35.0 contains a cross-site scripting (XSS) vulnerability in the course description field.
When a malicious script is inserted into the course description, it executes in the browser of any instructor or administrator who views the course in edit mode.
VULNERABILITY DETAILS
The application fails to sanitize user-supplied input in the course description.
An attacker with the ability to create or edit a course can inject arbitrary JavaScript code, which is then executed in the context of other privileged users’ sessions.
This vulnerability directly targets instructors and administrators, enabling account takeover or data exfiltration.
STEPS TO REPRODUCE
1. Log in as administrator.
Navigate to:
http://127.0.0.1:8000/app/user?enabled=1
2. Create two new user accounts.
- Example: course_creator_1 and course_creator_2.
- Assign both the role: Course Creator
3. Create a course.
- Go to: http://127.0.0.1:8000/lms/courses
- Create a new course with:
- Title
- Instructors
- Short introduction
- Course introduction
4. Log in as course_creator_1.
- Open the course edit page:
http://127.0.0.1:8000/lms/courses/mygrandcourse/edit
5. Inject a malicious payload.
- Insert the following into the course description field:
<img src=x onerror=alert(document.cookie)>
6. Trigger the payload.
- When course_creator_2 or an administrator opens the course in edit mode, the payload executes.
- Sensitive data such as cookies, roles (instructor/admin), and email addresses may be exposed.
IMPACT
- Stored XSS: The payload is permanently stored in the course description.
- Privilege escalation: Attackers can hijack sessions of instructors or administrators.
- Data theft: User information (cookies, roles, email addresses) can be exfiltrated.
- Persistent compromise: Any instructor or admin viewing the course in edit mode will be affected.
This issue poses a high security risk, especially since it targets privileged users.
RECOMMENDATION
- Implement strict server-side sanitization of user input in course fields (title, description, introduction, etc.).
- Disallow or escape dangerous HTML/JavaScript in course descriptions.
- Consider applying a whitelist-based HTML filter (e.g., only allowing safe tags like <p>, <b>, <i>).
- Add Content Security Policy (CSP) headers to reduce the impact of injected scripts.
AFFECTED VERSION
- Frappe LMS v2.35.0
CREDITS
Reported by:
- 0xHamy (https://github.com/0xHamy)
- KhanMarshaI (https://github.com/KhanMarshaI)
|
|---|
| Source | ⚠️ https://gist.github.com/0xHamy/1f99795df9301a95ee0c6d18028cd3da |
|---|
| User | 0xHamy (UID 88518) |
|---|
| Submission | 09/21/2025 21:36 (9 months ago) |
|---|
| Moderation | 10/04/2025 11:23 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 327017 [Frappe LMS 2.35.0 Course Description cross site scripting] |
|---|
| Points | 20 |
|---|