CVE-2025-11283

Medium CVSS: 4.8

A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.

Vendor

Frappe

Product

Learning

CWE

CWE-79

Yayın Tarihi

2025-10-05 05:15:31

Güncelleme

2025-10-07 20:37:57

Source Identifier

cna@vuldb.com

KEV Date Added

Kategoriler

CWE-79 Learning MEDIUM Frappe 2025

Referanslar

https://gist.github.com/0xHamy/1f99795df9301a95ee0c6d18028cd3da https://gist.github.com/0xHamy/1f99795df9301a95ee0c6d18028cd3da#steps-to-reproduce https://vuldb.com/?ctiid.327017 https://vuldb.com/?id.327017 https://vuldb.com/?submit.659697

Benzer Kayıtlar

Medium

CVE-2026-34606

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27…

High

CVE-2026-32954

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpo…

Critical

CVE-2026-31877

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a ce…

Medium

CVE-2026-31878

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a…

Medium

CVE-2026-31879

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation…

Medium

CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted…