Primary

Context

RELATE Stored Cross-Site Scripting Vulnerability Allowing Admin Account Takeover

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in RELATE, a web-based courseware package, affecting versions through 2024.1. The issue allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to a full admin account takeover. The vulnerability arises in the 'get_user()' method of the 'ParticipationAdmin' class, where user-controlled input is rendered using 'mark_safe' and Python's string formatting. This combination bypasses Django's automatic HTML escaping. The unsanitized data, sourced from editable user profile fields, is executed in the admin's browser when the Participation list is viewed.

Impact

Exploitation of this vulnerability could result in a stored cross-site scripting issue, allowing for the execution of malicious scripts in the context of the administrator's session.

Remediation

Users can update to the latest version of RELATE to address this vulnerability.

Added: May 28, 2026, 3:38 AM

Updated: May 28, 2026, 3:38 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.4

exploitability

5.7

remediation

0.0

relevance

9.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.4

exploitability

5.7

remediation

0.0

relevance

9.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

RELATE Stored Cross-Site Scripting Vulnerability Allowing Admin Account Takeover

Vulnerability

Impact

Remediation

Affected Products

inducer RELATE

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating