CVE-2025-67734
📋 TL;DR
This vulnerability allows authenticated attackers to inject malicious JavaScript into the Company Website field of the Job Form in Frappe LMS. When users view the compromised job posting, the script executes in their browsers, potentially stealing session cookies or performing unauthorized actions. This affects all users of Frappe LMS versions before 2.42.0.
💻 Affected Systems
- Frappe Learning Management System (LMS)
📦 What is this software?
Learning by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over accounts, deface the learning platform, or redirect users to malicious sites.
Likely Case
Attackers steal user session cookies to impersonate them, potentially accessing sensitive learning materials or personal information.
If Mitigated
With proper input validation and output encoding, the script would be rendered harmless as text rather than executed.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - just entering JavaScript in the vulnerable field.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.42.0
Vendor Advisory: https://github.com/frappe/lms/security/advisories/GHSA-c495-qg4v-5vr7
Restart Required: No
Instructions:
1. Backup your Frappe LMS instance. 2. Update to version 2.42.0 or later using your package manager or git. 3. Run bench migrate if using Frappe Bench. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Input Validation Workaround
allImplement server-side validation to sanitize the Company Website field, rejecting or escaping JavaScript content.
Content Security Policy
allImplement a strict Content Security Policy header to prevent inline script execution.
🧯 If You Can't Patch
- Restrict job posting creation/editing permissions to trusted administrators only.
- Implement a web application firewall (WAF) with XSS protection rules.
🔍 How to Verify
Check if Vulnerable:
Check if your Frappe LMS version is below 2.42.0. Attempt to enter JavaScript in the Company Website field of a Job Form and see if it executes when viewing the job posting.Check Version:
bench version (if using Frappe Bench) or check the package.json/version file in your installation.Verify Fix Applied:
After updating to 2.42.0+, attempt to enter JavaScript in the Company Website field - it should be properly sanitized and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual job posting creation/editing activity
- Log entries showing JavaScript code in Company Website field values
Network Indicators:
- HTTP requests containing JavaScript in Company Website field parameters
SIEM Query:
source="frappe_lms" AND (message="*<script>*" OR message="*javascript:*")