CVE-2021-24455Cross-site Scripting in Tutor LMS

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.2%
top 54.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Themeum Tutor LMS
Timeline
PublishedAug 2
Latest updateMay 24

Description

The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege escalation when viewed by an admin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

NVDthemeum/tutor_lms< 1.9.2

🔴Vulnerability Details

2
GHSA
GHSA-mgxx-qj86-p4ch: The Tutor LMS – eLearning and online course solution WordPress plugin before 12022-05-24
CVEList
Tutor LMS < 1.9.2 - Authenticated Stored Cross-Site Scripting (XSS)2021-08-02
CVE-2021-24455 — Cross-site Scripting in Tutor LMS | cvebase