Overview
This article details a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-65675 affecting Classroomio LMS version 0.1.13. This vulnerability allows authenticated attackers to inject and execute arbitrary JavaScript code within the application, potentially leading to account compromise, data theft, and other malicious activities. The exploit is triggered by uploading a specially crafted SVG file as a user profile picture.
Technical Details
The vulnerability resides in the application’s handling of user-uploaded profile pictures, specifically when SVG files are permitted. The application fails to properly sanitize the SVG file content, allowing an attacker to embed malicious JavaScript code within the <svg> tag. When another user views the profile of the attacker who uploaded the malicious SVG, the embedded JavaScript code is executed within their browser, in the context of the Classroomio LMS domain. This is a stored XSS vulnerability because the malicious SVG is stored on the server and served to other users, allowing the attack to persist.
The attack typically involves crafting an SVG file containing a payload such as:
<svg xmlns="http://www.w3.org/2000/svg" onload="alert('XSS Vulnerability!')"></svg>
When this SVG is rendered by the application in a user’s profile, the onload event triggers, executing the JavaScript code.
CVSS Analysis
The CVE record indicates a Severity of N/A and a CVSS Score of N/A. Although a CVSS score hasn’t been formally assigned, given the nature of Stored XSS, a high severity score would be typical. A more detailed CVSS analysis would need to be performed to accurately determine the base score, taking into account factors such as attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact. Based on the XSS type, a high severity score is usually assigned.
Possible Impact
The exploitation of this stored XSS vulnerability can have significant consequences:
- Account Takeover: An attacker could steal user session cookies and hijack user accounts.
- Data Theft: Sensitive data within the application, such as user information, course materials, and grades, could be stolen.
- Malware Distribution: The attacker could inject code that redirects users to malicious websites or installs malware on their systems.
- Defacement: The attacker could modify the appearance of the application, causing disruption and damage to the platform’s reputation.
- Privilege Escalation: An attacker might be able to elevate their privileges within the application, depending on the roles of the users they compromise.
Mitigation and Patch Steps
To mitigate the risk of this vulnerability, the following steps are recommended:
- Upgrade Classroomio LMS: Check the official Classroomio repository for patched versions. Upgrade to the latest version as soon as possible.
- Input Sanitization: Implement robust input validation and sanitization for all user-supplied data, especially for file uploads. Specifically, sanitize the content of SVG files to remove any potentially malicious JavaScript code.
- Content Security Policy (CSP): Implement a strict Content Security Policy to restrict the sources from which the browser can load resources. This can help prevent the execution of injected JavaScript code.
- Disable SVG Uploads (Temporary): As a temporary measure, consider disabling SVG uploads until a proper patch is available.
References
- Classroomio LMS: classroomio.com
- CVE-2025-65675 Details: github.com/Rivek619/CVE-2025-65675
- Classroomio Repository: github.com/classroomio/classroomio
