Selleo Mentingo Cross-Site Scripting Vulnerability in Course Enrollment API
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in Selleo Mentingo version 2025.08.27. The issue arises in the 'Create New Course Basic Settings' component, specifically within the '/api/course/enroll-course' endpoint. The vulnerability allows for the injection of malicious scripts through the 'Description' argument, which are executed when the course catalog is viewed. This XSS flaw can be exploited remotely, with a public exploit available.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the course catalog. This can lead to privilege escalation, particularly if the victim is an admin, as it allows for the creation of an admin account under the attacker's control.
Reproduction
To reproduce this vulnerability, a content creator or admin must inject an XSS payload into the course description field, which is then saved. Once saved, the payload executes when any user, including admins, views the global course catalog.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.