Description

Frappe LMS version 2.35.0 contains a cross-site scripting (XSS) vulnerability in the course description field.
When a malicious script is inserted into the course description, it executes in the browser of any instructor or administrator who views the course in edit mode.

Vulnerability Details

The application fails to sanitize user-supplied input in the course description.
An attacker with the ability to create or edit a course can inject arbitrary JavaScript code, which is then executed in the context of other privileged users’ sessions.

We weren't able to steal sensitive data like cookies.

Steps to Reproduce

1. Log in as instructor.
   Navigate to:
   http://127.0.0.1:8000/app/user?enabled=1

2. Create two new user accounts.

   • Example: course_creator_1 and course_creator_2.
   • Assign both the role: Course Creator.

3. Create a course.

   • Go to: http://127.0.0.1:8000/lms/courses
   • Create a new course with:
     • Title
     • Instructors
     • Short introduction
     • Course introduction

4. Log in as course_creator_1.

   • Open the course edit page:
     http://127.0.0.1:8000/lms/courses/mygrandcourse/edit

5. Inject a malicious payload.

   • Insert the following into the course description field:

     <img src=x onerror=alert(document.cookie)>
     

6. Trigger the payload.

   • When course_creator_2 or an administrator opens the course in edit mode, the payload executes.
   • Sensitive data such as cookies, roles (instructor/admin), and email addresses may be exposed.

Recommendation

• Implement strict server-side sanitization of user input in course fields (title, description, introduction, etc.).
• Disallow or escape dangerous HTML/JavaScript in course descriptions.
• Consider applying a whitelist-based HTML filter (e.g., only allowing safe tags like <p>, <b>, <i>).
• Add Content Security Policy (CSP) headers to reduce the impact of injected scripts.