CVE-2021-47907
published 2026-05-10CVE-2021-47907: Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script…
PriorityP432medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
0.24%
14.3th percentile
Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers of other users viewing the message history, enabling session hijacking and phishing attacks.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rocketsoft | rocket_lms | — | — |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p5cq-w88f-fj6p: Rocket LMS 1
ghsa_unreviewed·2026-05-10
CVE-2021-47907 [MEDIUM] CWE-79 GHSA-p5cq-w88f-fj6p: Rocket LMS 1
Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers of other users viewing the message history, enabling session hijacking and phishing attacks.
VulDB
Rocketsoft Rocket LMS 1.1 Support Ticket Title cross site scripting (Exploit 50677 / EDB-50677)
vuldb·2026-05-10·CVSS 5.1
CVE-2021-47907 [MEDIUM] Rocketsoft Rocket LMS 1.1 Support Ticket Title cross site scripting (Exploit 50677 / EDB-50677)
A vulnerability classified as problematic was found in Rocketsoft Rocket LMS 1.1. This affects an unknown function of the component Support Ticket Module. The manipulation of the argument Title results in cross site scripting.
This vulnerability is reported as CVE-2021-47907. The attack can be launched remotely. Moreover, an exploit is present.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-10
Published