Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting

A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.

Problem type

Affected products

Frappe

LMS

2.34.x - AFFECTED

2.35.0 - AFFECTED

References

VDB-327016 | Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting

https://vuldb.com/?id.327016

vdb-entry

VDB-327016 | CTI Indicators (IOB, IOC, TTP)

https://vuldb.com/?ctiid.327016

signaturepermissions-required

Submit #659696 | Frappe Frappe LMS 2.35.0 Cross Site Scripting

https://vuldb.com/?submit.659696

third-party-advisory

github.com

https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr

gist.github.com

https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544#steps-to-reproduce

exploit

GitHub Security Advisories

GHSA-57c3-6898-289j

A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown...

https://github.com/advisories/GHSA-57c3-6898-289j

github.com

https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2025-11282

gist.github.com

https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544#steps-to-reproduce

vuldb.com

https://vuldb.com/?ctiid.327016

vuldb.com

https://vuldb.com/?id.327016

vuldb.com

https://vuldb.com/?submit.659696

github.com

https://github.com/advisories/GHSA-57c3-6898-289j

JSON source

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "cveMetadata": {
    "cveId": "CVE-2025-11282",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2025-10-07T18:53:36.549Z",
    "dateReserved": "2025-10-04T09:22:36.514Z",
    "datePublished": "2025-10-05T04:32:06.034Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2025-10-05T04:32:06.034Z"
      },
      "title": "Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them."
        },
        {
          "lang": "de",
          "value": "Eine Schwachstelle wurde in Frappe LMS 2.34.x/2.35.0 gefunden. Es geht um eine nicht näher bekannte Funktion der Komponente Incomplete Fix CVE-2025-55006. Durch Manipulation mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit wurde der Öffentlichkeit bekannt gemacht und könnte verwendet werden. Es wird empfohlen, die betroffene Komponente zu aktualisieren."
        }
      ],
      "affected": [
        {
          "vendor": "Frappe",
          "product": "LMS",
          "modules": [
            "Incomplete Fix CVE-2025-55006"
          ],
          "versions": [
            {
              "version": "2.34.x",
              "status": "affected"
            },
            {
              "version": "2.35.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Cross Site Scripting",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Code Injection",
              "cweId": "CWE-94",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.327016",
          "name": "VDB-327016 | Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting",
          "tags": [
            "vdb-entry"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.327016",
          "name": "VDB-327016 | CTI Indicators (IOB, IOC, TTP)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.659696",
          "name": "Submit #659696 | Frappe Frappe LMS 2.35.0 Cross Site Scripting",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr",
          "tags": [
            "related"
          ]
        },
        {
          "url": "https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544#steps-to-reproduce",
          "tags": [
            "exploit"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
            "baseScore": 2.4,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
            "baseScore": 2.4,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
            "baseScore": 3.3
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-10-04T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2025-10-04T02:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2025-10-04T11:28:18.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "0xHamy (VulDB User)",
          "type": "reporter"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-10-07T18:53:36.549Z"
        },
        "title": "CISA ADP Vulnrichment",
        "references": [
          {
            "url": "https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544#steps-to-reproduce",
            "tags": [
              "exploit"
            ]
          },
          {
            "url": "https://vuldb.com/?submit.659696",
            "tags": [
              "exploit"
            ]
          }
        ],
        "metrics": [
          {}
        ]
      }
    ]
  }
}

Mitre source

https://cveawg.mitre.org/api/cve/CVE-2025-11282