Jannat Patel - Security Researcher - Exploit Intelligence Platform

CVE-2023-5555 WRITEUP MEDIUM WRITEUP

Frappe Learning - XSS

Cross-site Scripting (XSS) - Generic in GitHub repository frappe/lms prior to 5614a6203fb7d438be8e2b1e3030e4528d170ec4.

CVSS 6.1

View Code

CVE-2025-59415 WRITEUP MEDIUM WRITEUP

Frappe Learning < 2.35.0 - XSS

Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users.

CVSS 4.6

View Code

CVE-2025-62158 WRITEUP MEDIUM WRITEUP

Frappe Learning - Information Disclosure

Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public. Anyone with the file URL could access these files without authentication. The issue has been fixed in version 2.38.0 by ensuring all student-uploaded assignment attachments are stored as private files by default.

CVSS 5.3

View Code

CVE-2025-62778 WRITEUP MEDIUM WRITEUP

Frappe Learning <2.39.1 - Info Disclosure

Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL.

CVSS 5.3

View Code

CVE-2025-62779 WRITEUP MEDIUM WRITEUP

Frappe Learning < 2.39.2 - XSS

Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were able to add HTML through input fields in the Job Form.

CVSS 5.4

View Code

CVE-2025-67734 WRITEUP MEDIUM WRITEUP

Frappe Learning < 2.42.0 - XSS

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0.

CVSS 5.4

View Code

CVE-2026-23497 WRITEUP MEDIUM WRITEUP

Frappe LMS <2.44.0 - XSS

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages.

CVSS 5.4

View Code