← back
CVE-2021-47907

Rocket LMS 1.1 Persistent Cross-Site Scripting via Support Tickets

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79
Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers of other users viewing the message history, enabling session hijacking and phishing attacks.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
Rocketsoft · Rocket LMS
public PoCs found1
cve_referencewww.exploit-db.com/exploits/50677unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://lms.rocket-soft.org/https://www.exploit-db.com/exploits/50677https://www.vulncheck.com/advisories/rocket-lms-persistent-cross-site-scripting-via-support-tickets