CVE-2025-11282

MEDIUM
2025-10-05 [email protected]
XSS Learning
4.8
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 13:22 vuln.today
PoC Detected
Mar 25, 2026 - 13:16 vuln.today
Public exploit code
CVE Published
Oct 05, 2025 - 05:15 nvd
MEDIUM 4.8

DescriptionNVD

A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.

AnalysisAI

Frappe LMS versions 2.34.x and 2.35.0 contain a cross-site scripting (XSS) vulnerability in an incomplete fix for CVE-2025-55006, allowing authenticated remote attackers with high privileges to inject malicious scripts that execute in user browsers. Publicly available exploit code exists, and while the CVSS score of 4.8 is moderate, the low EPSS percentile (21%) and requirement for privileged user interaction suggest limited real-world exploitation likelihood despite public disclosure.

Technical ContextAI

The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation or 'Cross-site Scripting'), indicating inadequate input sanitization or output encoding in the Frappe Learning Management System. The affected product is Frappe LMS (CPE: cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:*), a learning platform built on the Frappe framework. The vulnerability exists in an incomplete remediation of a prior XSS issue (CVE-2025-55006), meaning the vendor's previous fix failed to address the full attack surface, allowing attackers to bypass existing protections through an unknown function within the component.

Affected ProductsAI

Frappe LMS versions 2.34.x and 2.35.0 are affected as confirmed by CPE (cpe:2.3:a:frappe:learning:*:*:*:*:*:*:*:*). The vendor was informed of four security issues total, with confirmation that fixes were applied; however, the GitHub release notes do not explicitly document this specific vulnerability. Consult the GitHub security advisory at https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr and the Frappe LMS repository at https://github.com/frappe/lms/ for patch availability and version details.

RemediationAI

Upgrade Frappe LMS to a version released after 2.35.0 that incorporates the vendor's security fixes; consult the GitHub security advisory (https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr) for the exact patched version number. Until patching is feasible, restrict administrative and instructor account access to trusted networks, enforce strong authentication (multi-factor authentication where supported), and conduct input validation audits of the affected component. Additionally, implement Content Security Policy (CSP) headers to mitigate reflected XSS execution in user browsers as a temporary control layer.

Share

CVE-2025-11282 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy