Classroomio LMS Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in Classroomio LMS version 0.1.13. This vulnerability allows authenticated attackers to execute arbitrary code by uploading crafted SVG cover images. The application fails to properly sanitize course cover image uploads, enabling the execution of embedded JavaScript when the image is viewed. This issue could lead to session hijacking, account takeover, redirection attacks, or further exploitation within the platform.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files containing malicious scripts are executed when the corresponding course cover image is accessed.
Reproduction
To reproduce this vulnerability, log into Classroomio LMS version 0.1.13 and navigate to a course. Upload a malicious SVG file as the course cover image. After the upload is complete, refresh the page and observe the execution of the embedded script in the SVG file.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.