LearnHouse
CVE-2025-12269
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in LearnHouse up to 98dfad76aad70711a8113f6c1fdabfccf10509ca. The affected element is an unknown function of the file /dash/org/settings/previews of the component Account Setting Page. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored cross-site scripting (XSS) in LearnHouse Account Setting Page allows authenticated users to inject malicious scripts via the /dash/org/settings/previews endpoint, affecting all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca. An attacker with valid credentials can craft a malicious request that, when viewed by another user (requiring user interaction), executes arbitrary JavaScript in their browser context with potential for data theft or session hijacking. Public exploit code exists, though exploitation requires both login credentials and victim interaction, limiting real-world impact despite the network-accessible vector.
Technical ContextAI
LearnHouse is a learning management system that uses a rolling release model without versioned releases. The vulnerability resides in the Account Setting Page component, specifically the /dash/org/settings/previews endpoint, which fails to properly sanitize user input before storing or rendering it in HTML context. This is a stored XSS vulnerability (CWE-79), where unsanitized user-controlled data persists in the application database and is later rendered to other users' browsers. The attack vector is network-accessible (AV:N) but requires prior authentication (PR:L) and user interaction (UI:P) to trigger the payload, as the victim must view the affected page containing the injected script.
RemediationAI
Upgrade LearnHouse to a version released after commit 98dfad76aad70711a8113f6c1fdabfccf10509ca, though the vendor has not responded to disclosure requests and no official patched release timeline is available. In the interim, implement output encoding for all user-supplied input rendered in the Account Setting Page, specifically the /dash/org/settings/previews endpoint, using context-appropriate HTML entity encoding or a templating engine with automatic escaping enabled. Restrict access to the Account Setting Page to trusted administrators only if possible, reducing the number of users who can inject and trigger payloads. Monitor for malicious activity in account settings using web application firewalls (WAF) configured to block stored XSS patterns (script tags, event handlers) in the previews parameter. Note that user interaction is required for exploitation, so educating users to avoid clicking suspicious links or viewing untrusted account settings provides additional defense; however, do not rely on user training alone.
Share
External POC / Exploit Code
Leaving vuln.today