Frappe LMS CVE-2025-11283
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
AnalysisAI
Cross-site scripting (XSS) in Frappe LMS 2.35.0 Course Handler allows authenticated users with high privileges to inject malicious scripts via the Description argument when course creation or modification requires user interaction, resulting in integrity impact to stored content. The vulnerability has publicly available exploit code and a CVSS score of 1.9, indicating minimal real-world risk despite XSS classification; however, active exploitation probability (EPSS 0.07%) remains very low, suggesting this is a low-priority vulnerability except in multi-tenant environments where malicious admins pose insider threats.
Technical ContextAI
Frappe LMS is a learning management system component built on the Frappe framework. The vulnerability exists in the Course Handler function, which processes course metadata including the Description field. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates insufficient input sanitization or output encoding when the Description parameter is rendered in the web interface. The attack vector is network-based but requires high privilege (PR:H) user authentication and user interaction (UI:P), limiting the attack surface to authenticated administrators or instructors who must interact with malicious course content. The integrity impact (VI:L) suggests stored XSS that affects the confidentiality or display of course information rather than system-level compromise.
RemediationAI
Upgrade Frappe LMS to a version released after the vendor's fix confirmation. Since GitHub release notes do not explicitly mention the security patch, verify the patched version by contacting Frappe maintainers directly or reviewing the vulnerability tracker at https://vuldb.com/?id.327017 for confirmed fix version. If immediate upgrade is not possible, implement compensating controls: restrict the Course Handler and course description editing functionality to a minimal set of trusted administrators via role-based access control, disable user interaction with course descriptions in rendering contexts (e.g., disable rich-text preview without explicit user action), and deploy a web application firewall (WAF) rule to detect and block inline script tags in Course Handler API requests. Each mitigation carries trade-offs: role restriction limits course management workflow, disabling preview reduces administrator usability, and WAF rules may generate false positives on legitimate content with angle brackets.
Share
External POC / Exploit Code
Leaving vuln.today