Frappe LMS Cross-Site Scripting Vulnerability in Course Description

A cross-site scripting (XSS) vulnerability has been identified in Frappe LMS version 2.35.0. The issue arises in the course description field, where user input is not properly sanitized. This allows an attacker to inject malicious scripts that are executed in the browsers of instructors or administrators viewing the course in edit mode. The vulnerability could lead to session hijacking or data exfiltration, targeting privileged users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users with instructor or administrator roles. This could result in session hijacking and unauthorized access to sensitive user information, such as cookies and email addresses.

Reproduction

To reproduce this vulnerability, log in as an administrator and create two user accounts with the 'Course Creator' role. Then, create a course and log in as one of the course creators. Inject a malicious script into the course description field and save the changes. Finally, have an administrator or the other course creator open the course in edit mode to trigger the payload.

Remediation

Users are advised to upgrade to a version of Frappe LMS that addresses this vulnerability. Additionally, implement server-side input sanitization in course fields, disallow or escape harmful HTML and JavaScript in descriptions, and consider applying a whitelist-based HTML filter. Adding Content Security Policy headers can also help mitigate the impact of injected scripts.