CVE-2025-67730 – Frappe LMS versions before 2.42.0 contain a sto... (How to Fix)

Q: What is the severity of CVE-2025-67730?

CVE-2025-67730 has a CVSS score of 5.4 (MEDIUM). Frappe LMS versions before 2.42.0 contain a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious HTML and JavaScript into description fields. This affects all users of vulnerable Frappe LMS instances, potentially compromising other users who view the injected content.

📋 TL;DR

Frappe LMS versions before 2.42.0 contain a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious HTML and JavaScript into description fields. This affects all users of vulnerable Frappe LMS instances, potentially compromising other users who view the injected content.

💻 Affected Systems

Products:

Frappe Learning Management System (LMS)

Versions: All versions prior to 2.42.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to exploit. Affects description fields in Job, Course, and Batch forms.

📦 What is this software?

Learning by Frappe

View all CVEs affecting Learning →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal session cookies, perform actions as other users, redirect to malicious sites, or deploy malware to users' browsers.

🟠

Likely Case

Attackers with authenticated access inject malicious scripts that execute when other users view job, course, or batch descriptions, potentially stealing credentials or session data.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access. The vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.42.0

Vendor Advisory: https://github.com/frappe/lms/security/advisories/GHSA-jjc4-j3hw-33h2

Restart Required: Yes

Instructions:

1. Backup your Frappe LMS instance and database. 2. Update to version 2.42.0 or later using your package manager or deployment method. 3. Restart the application server. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side input validation and output encoding for description fields

Content Security Policy

all

Implement a strict Content Security Policy header to mitigate XSS impact

🧯 If You Can't Patch

Restrict authenticated user permissions to minimize who can edit description fields
Implement web application firewall rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check if Frappe LMS version is below 2.42.0. Review if description fields accept and execute HTML/JavaScript input.

Check Version:

Check Frappe LMS version in admin panel or via command line depending on deployment method

Verify Fix Applied:

After updating to 2.42.0+, test that HTML and JavaScript input in description fields are properly sanitized and do not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual HTML/JavaScript patterns in description field submissions
Multiple failed sanitization attempts

Network Indicators:

Unexpected external script loads from Frappe LMS pages
Suspicious outbound connections after viewing content

SIEM Query:

Search for patterns like <script>, javascript:, or encoded payloads in web application logs for Frappe LMS

📊 Metadata

CVE ID: CVE-2025-67730

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (9.9th percentile)

Published: December 12, 2025

Last Updated: December 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67730, you might also want to check these: