CVE-2025-65676 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-65676?

CVE-2025-65676 has a CVSS score of 5.4 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in Classroomio LMS version 0.1.13 allows authenticated attackers to inject malicious JavaScript via crafted SVG cover images. This enables attackers to execute arbitrary code in victims' browsers when they view the compromised content. All users of Classroomio LMS 0.1.13 are affected.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in Classroomio LMS version 0.1.13 allows authenticated attackers to inject malicious JavaScript via crafted SVG cover images. This enables attackers to execute arbitrary code in victims' browsers when they view the compromised content. All users of Classroomio LMS 0.1.13 are affected.

💻 Affected Systems

Products:

Classroomio LMS

Versions: 0.1.13

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to upload SVG cover images.

📦 What is this software?

Classroomio by Classroomio

View all CVEs affecting Classroomio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Attackers steal session tokens to hijack user accounts, potentially accessing sensitive course materials or personal data.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access; public proof-of-concept available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://classroomio.com

Restart Required: No

Instructions:

Check vendor website for security updates; implement input validation and output encoding for SVG uploads.

🔧 Temporary Workarounds

Disable SVG uploads

all

Restrict file uploads to prevent SVG files from being uploaded as cover images.

Modify upload configuration to reject SVG MIME types

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources.

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP headers

🧯 If You Can't Patch

Restrict SVG upload permissions to trusted administrators only
Implement web application firewall rules to block malicious SVG content

🔍 How to Verify

Check if Vulnerable:

Check if Classroomio LMS version is 0.1.13; test SVG upload with embedded JavaScript payload.

Check Version:

Check package.json or application configuration for version number

Verify Fix Applied:

Test SVG upload with script payload; verify scripts are not executed when image is viewed.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads
Multiple failed upload attempts with script-like content

Network Indicators:

HTTP requests containing SVG files with script tags
Unexpected JavaScript execution from image resources

SIEM Query:

source="web_logs" AND (file_extension="svg" AND (content="script" OR content="javascript"))

📊 Metadata

CVE ID: CVE-2025-65676

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (18.5th percentile)

Published: November 26, 2025

Last Updated: December 3, 2025

🔗 References

http://classroomio.com Product
https://github.com/Rivek619/CVE-2025-65676 Exploit,Third Party Advisory
https://github.com/classroomio/classroomio Product
https://github.com/Rivek619/CVE-2025-65676 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65676, you might also want to check these: