DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

GitHub

Frappe LMS - v2.35.0 - Cross-Site Scripting as student

By 0xhamy 05:24 AM - October 14th 2025
Type software
Product Environment web
Product Name Frappe LMS
Product Vendor Frappe
Product Version 2.35.0
Product Link https://github.com/frappe/lms
Vulnerability Name Cross-Site Scripting
Severity Medium
CVSS String CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVSS Score 4.6
CVE ID CVE-2025-11282
Vendor Acknowledgement Yes
Affected digital Assets 10
Affected Users 50000
Date of Reporting Sep 21, 2025
PoC Exploit -
Credit 0xhamy,KhanMarshai

Description

Frappe LMS version 2.35.0 is vulnerable to a file upload flaw that enables stored cross-site scripting (XSS).
The application incorrectly handles uploaded HTML and SVG files. Although the UI shows visual error messages, malicious files can still be uploaded and later executed in users’ browsers.

Vulnerability Details

The file upload feature allows users to bypass file-type restrictions by switching from “Image Files” to “All Files” and uploading crafted payloads.
While the platform presents a visual error, the files are still saved, and references to them can be accessed.
When other users or administrators view the uploaded file, arbitrary JavaScript payloads execute in their browser.

While this did not lead us to account takeover, we were still able to steal user's email addresses and admin status.

Steps to Reproduce

  1. Log in as administrator.
    Navigate to:
    http://127.0.0.1:8000/app/user?enabled=1

  2. Create a student account.

    • Add a new user.
    • Assign the role: LMS Student.

  3. Create an assignment.

    • Go to: http://127.0.0.1:8000/lms/assignments
    • Create a new assignment with type set to Text.

  4. Create a course and attach the assignment.

    • Navigate to: http://127.0.0.1:8000/lms/courses
    • Create a course.
    • Add a chapter and attach the assignment.
    • Publish the course (optional, the issue persists even if unpublished).

  5. Log in as the student user.

    • Open the course assignment page:
      http://127.0.0.1:8000/lms/courses/MyGrandCourse/learn/2-1

  6. Upload a malicious file.

    • In the editor, click the Image icon to browse files.
    • Switch file type filter from Image FilesAll Files.
    • Upload a crafted HTML payload (example: https://gist.github.com/0xHamy/44ea8308361cc0e5c84666118167e1af).

    Note: An error appears, but the file is still saved.

  7. Trigger the payload.

    • Click Save in the editor.
    • Add a caption (e.g., x) when prompted.
    • An invalid image icon will appear — right-click it and open in a new tab.

  8. Set up a server to capture data.

    • Host a PHP listener, such as: https://gist.github.com/0xHamy/827831b5e3f26b1fd715a5c1aeaa58bd
    • When the malicious file is opened, sensitive data such as user email, administrator status, and full name are exfiltrated to the attacker’s server.

  9. Alternative vector: SVG uploads.

    • SVG files can also be uploaded in the same way.
    • Although CVE-2025-55006 claimed to address this, the patch only prevents visual rendering errors and does not properly enforce backend validation.

Recommendation

  • Enforce strict server-side validation of uploaded file types.
  • Reject non-image files at the backend, not just through the UI.
  • Sanitize and neutralize SVG/HTML uploads or disallow them entirely.
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact.