CVE-2025-11282

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-11282

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11282.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-11282

Aliases

CVE-2025-55006
GHSA-mvxw-r9x4-3vrr

Published

2025-10-05T05:15:30.460Z

Modified

2026-03-15T22:50:11.406812Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.

References

Affected packages

Git / github.com/frappe/lms

Affected ranges

Type

GIT

Repo

https://github.com/frappe/lms

Events

Introduced

5ff100da27ef81ee093a79287f75bffb6a1c9197

Last affected

2e0cd1964c4a4dd2e5a45a6ce946c89194635894

Database specific

{
    "versions": [
        {
            "introduced": "2.34.0"
        },
        {
            "last_affected": "2.35.0"
        }
    ]
}

Affected versions

v2.*

v2.34.0

v2.34.1

v2.35.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11282.json"