Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images. Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India.# CVE-2025-65676
Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images. Discovered by - Rivek Raj Tamang (RivuDon), Sikkim, India.
**Affected Product: ClassroomIO**
* Affected Version: 0.1.13
* **Discovered by: Rivek Raj Tamang (RivuDon), Sikkim, India**
## Vulnerability Details
Stored Cross Site Scripting
# Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in Classroomio LMS version 0.1.13, where the application fails to sanitize course cover image uploads. An authenticated attacker can upload a malicious SVG file containing embedded JavaScript, which is then stored and executed whenever the course cover image is viewed. Because the payload is executed from a trusted domain, this flaw can lead to session hijacking, account takeover, redirection attacks, or further exploitation within the platform.
## Steps to Reproduce
1. Log in and go to created course or create one
2. Click on landing page
3. Click on Header > replace image cover
3. Select the xss svg file and click on upload
4. Wait for it to save, refresh the page
<img width="1919" height="858" alt="image" src="https://github.com/user-attachments/assets/40c1eaee-439c-4cd8-9b7c-d2ea1b9d4ba9" />
6. Right click on the course cover image and open on a new tab
7. Note the stored xss being popped.
<img width="701" height="361" alt="image" src="https://github.com/user-attachments/assets/ef9b4d7d-627e-403b-9e45-6ae7417f7c11" />
# Acknowledgement
This vulnerability was discovered and responsibly reported by:
**Rivek Raj Tamang (RivuDon) from Sikkim, India**
https://www.linkedin.com/in/rivektamang/
https://rivudon.medium.com/
[4.0K] /data/pocs/170d363bb59e32b73d18b9d4cf9c371a2f2747bf
└── [1.7K] README.md
1 directory, 1 file