| Kura | Selleo Labs Sp. z o.o. Mentingo learn-v2025.08.27 Cross Site Scripting |
|---|
| Gaskiya | Attack Vector: Web Application
Impact: Privilege Escalation
Brief Description: Stored XSS in course description field leading to admin privilege escalation
The LMS platform allows content creators or administrators to create new courses. The course description field does not sanitize or escape HTML input, which permits injection of malicious JavaScript.
The injected JavaScript executes immediately even as one is typing, after saving it, every time any user (student, content creator, or admin) visits the global courses catalogue view. The payload is triggered globally without requiring the victim to open the specific malicious course.
Depending on the payload and victim's role:
1. Student victim → attacker can silently enroll them in an attacker-controlled course via a forged `POST /api/course/enroll-course` request.
2. Admin victim → attacker can forge a `POST /api/user` request to provision a new administrative account, under the attacker’s control. The attacker then receives an activation email and sets a password, gaining persistent full administrative access to the platform. |
|---|
| Manga | ⚠️ https://gist.github.com/KhanMarshaI/584ae9d7ba8578ac040a0f89597fc3c1 |
|---|
| Màdùmga | KhanMarshal (UID 89610) |
|---|
| Furta | 08/29/2025 00:09 (6 Wurɗi 전) |
|---|
| Gargajiya | 09/13/2025 11:40 (15 days later) |
|---|
| Halitta | Shingilam |
|---|
| VulDB gite | 323823 [Selleo Mentingo 2025.08.27 Create New Course Basic Settings enroll-course Gaskiya Cross Site Scripting] |
|---|
| Nganji | 20 |
|---|