Primary

Context

Rocket LMS Persistent Cross-Site Scripting Vulnerability

Vulnerability

A persistent cross-site scripting vulnerability has been identified in Rocket LMS version 1.1, specifically within the support ticket module. This vulnerability allows authenticated users to inject malicious scripts through the title parameter of support tickets. The injected scripts are executed in the browsers of users who view the message history, potentially leading to session hijacking and phishing attacks.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user viewing the message history. This could lead to session hijacking and phishing attacks.

Reproduction

To reproduce this vulnerability, an authenticated user can submit a support ticket through the 'New Ticket' interface. The user should inject a script payload into the title parameter, which will be executed when the message history is viewed.

Added: May 10, 2026, 1:45 PM

Updated: May 10, 2026, 1:45 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.7

exploitability

6.3

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.7

exploitability

6.3

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Rocket LMS Persistent Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Rocket LMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating