Skip to main content

Mentor LMS CVE-2025-11304

LOW
Origin Validation Error (CWE-346)
2025-10-05 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:52 vuln.today

DescriptionCVE.org

A flaw has been found in CodeCanyon/ui-lib Mentor LMS up to 1.1.1. Affected by this vulnerability is an unknown functionality of the component API. Executing manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Mentor LMS up to version 1.1.1 allows permissive cross-domain policies with untrusted domains through an unspecified API component, enabling information disclosure via remote unauthenticated requests with user interaction. The CVSS 2.1 score reflects limited confidentiality impact; however, EPSS indicates very low real-world exploitation probability (0.02nd percentile), and the vulnerability requires user interaction, substantially limiting practical risk despite publicly available exploit code.

Technical ContextAI

Mentor LMS is a learning management system component from CodeCanyon/ui-lib. The vulnerability exists in an unspecified API endpoint and relates to improper cross-domain policy configuration (CWE-346: Origin Validation Error). This class of flaw typically manifests in Cross-Origin Resource Sharing (CORS) policies or similar cross-domain access controls that fail to properly validate or restrict trusted domains, allowing requests from untrusted or attacker-controlled domains to access sensitive data or functionality. The CVSS vector indicates network-accessible attack surface with low complexity and no privilege escalation required, but user interaction is mandatory, suggesting the flaw may involve browser-based attacks or require user-initiated actions to trigger the vulnerable code path.

Affected ProductsAI

CodeCanyon Mentor LMS versions up to and including 1.1.1 are affected. The vulnerability impacts the API component within the ui-lib package. No CPE string was identified in available references, and no specific version ranges beyond 'up to 1.1.1' are documented. The vendor (CodeCanyon) did not respond to disclosure attempts, limiting confirmation of the exact version boundaries or whether later releases exist.

RemediationAI

Upgrade Mentor LMS to a version newer than 1.1.1 if available; however, because the vendor did not respond to the original disclosure, no patched version has been publicly confirmed. As an interim compensating control, restrict cross-domain API access by implementing a strict CORS policy that explicitly whitelists only trusted domains and denies requests from untrusted or attacker-controlled origins. If the vulnerable API endpoint functionality is non-essential, disable it entirely or restrict access to authenticated, same-origin requests only. Deploy a Web Application Firewall (WAF) rule to block cross-domain requests to the affected API component. These controls mitigate information disclosure risk by enforcing origin validation independent of the application code. Monitor vendor communication channels (CodeCanyon support, GitHub repository if one exists) for security updates, as vendor non-responsiveness suggests updates may be irregular.

Share

CVE-2025-11304 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy