×
Uncategorized

Lectora Desktop and Online XSS Vulnerability Enables JavaScript Injection

A critical cross-site scripting (XSS) vulnerability affecting both Lectora Desktop and Lectora Online has been disclosed, enabling attackers to inject JavaScript through crafted URL parameters.

Discovered by security researcher Mohammad Jassim and documented by the CERT® Coordination Center on September 22, 2025, this flaw poses a risk of client-side code execution, session hijacking, and user redirection if exploited in unpatched courses.

Vulnerability Details and Affected Versions

The XSS weakness exists in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled.

CVE Identifier Affected Products Vulnerability
CVE-2025-9125 Lectora Desktop 21.0–21.3
Lectora Online ≤7.1.6		 XSS via crafted URL parameters allows JavaScript injection, leading to alert or redirect, session hijacking, or user redirection.

Lectora Desktop editions 21.0 through 21.3 (Inspire and Publisher) and Lectora Online up to version 7.1.6 are affected.

Although Lectora Desktop 21.4 was released on October 25, 2022, to address this issue, the update notes did not clearly instruct users to republish existing courses.

Lectora Online users received the fix automatically when version 7.1.7 went live on July 20, 2025.

Republishing is crucial because courses created or published before applying the patch continue to contain the vulnerability.

High-profile clients, including government agencies and large enterprises, may unknowingly expose their users if they have not republished legacy content.

When exploited, the vulnerability can trigger arbitrary client-side script execution in the context of the user’s browser.

Attackers could craft a URL that, when clicked by a course participant, runs malicious code capable of hijacking session cookies or redirecting the user to a phishing page.

Since many organizations rely on Lectora for training and compliance modules, successful exploitation could lead to compromised credentials or unauthorized access to sensitive training data.

To fully remediate this issue, administrators should:

  1. Update Lectora Desktop – Download and install version 21.4 or later from portal.elblearning.com. After upgrading, republish all courses created with versions 21.0 through 21.3 to apply the patch to existing content.
  2. Verify Lectora Online – Ensure that your account is running version 7.1.7 or newer. Although the update was auto-applied on July 20, 2025, you must republish any courses created before that date to secure them against this XSS flaw.
  3. Review Publishing Settings – If your organization relies on Web Accessibility features, consider enabling these settings, as disabling them contributed to the vulnerability. Always follow best practices for secure course publication.

This vulnerability note was produced by Laurie Tyzenhaus with credit to Mohammad Jassim for reporting.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

Related Posts

Post Comment

You May Have Missed

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by