{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24671", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T20:40:23.387Z", "datePublished": "2026-02-03T16:56:26.219Z", "dateUpdated": "2026-02-04T16:52:35.918Z"}, "containers": {"cna": {"title": "Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) in Multiple High-Privilege User Fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gunet/openeclass/security/advisories/GHSA-2x83-4fh2-fcw7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gunet/openeclass/security/advisories/GHSA-2x83-4fh2-fcw7"}], "affected": [{"vendor": "gunet", "product": "openeclass", "versions": [{"version": "< 4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T16:56:26.219Z"}, "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-privileged users (teachers or administrators) to inject malicious JavaScript into multiple user-controllable input fields across the application, which is executed when other users access affected pages. This issue has been patched in version 4.2."}], "source": {"advisory": "GHSA-2x83-4fh2-fcw7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T15:54:25.062457Z", "id": "CVE-2026-24671", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:52:35.918Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24671", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T15:54:25.062457Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T15:54:26.106Z"}}], "cna": {"title": "Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) in Multiple High-Privilege User Fields", "source": {"advisory": "GHSA-2x83-4fh2-fcw7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gunet", "product": "openeclass", "versions": [{"status": "affected", "version": "< 4.2"}]}], "references": [{"url": "https://github.com/gunet/openeclass/security/advisories/GHSA-2x83-4fh2-fcw7", "name": "https://github.com/gunet/openeclass/security/advisories/GHSA-2x83-4fh2-fcw7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-privileged users (teachers or administrators) to inject malicious JavaScript into multiple user-controllable input fields across the application, which is executed when other users access affected pages. This issue has been patched in version 4.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T16:56:26.219Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24671", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:52:35.918Z", "dateReserved": "2026-01-23T20:40:23.387Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T16:56:26.219Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "62F1C084-2C90-4AB3-A13E-28323DC385C0", "versionEndExcluding": "4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-privileged users (teachers or administrators) to inject malicious JavaScript into multiple user-controllable input fields across the application, which is executed when other users access affected pages. This issue has been patched in version 4.2."}], "id": "CVE-2026-24671", "lastModified": "2026-02-10T18:21:25.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-03T18:16:23.720", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gunet/openeclass/security/advisories/GHSA-2x83-4fh2-fcw7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:19:11.576181+00:00", "value": {"mitigation_remediation": ["Upgrade the Open eClass platform to version 4.2 or later, which contains the official fix for this stored XSS vulnerability.", "Configure the application to enforce strict input validation and sanitization on all user\u2011controlled fields, ensuring that script tags and event handlers are removed before storage.", "Deploy a web application firewall or similar filtering solution to detect and block malicious script payloads targeting the susceptible input fields."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "This flaw exists in all Open eClass releases prior to version 4.2. The affected vendor is Gunet, developer of the Open eClass platform. Users running any version older than 4.2 of Open eClass are susceptible, while version 4.2 and newer contain the patch that removes the susceptibility.", "description_and_impact": "The Open eClass platform is vulnerable to a stored cross\u2011site scripting flaw that allows authenticated teachers or administrators to inject malicious JavaScript into several user\u2011editable fields. When other users view the affected pages, the injected code executes in their browsers, enabling attacks such as cookie theft, session hijacking, defacement, or further exploitation of client\u2011side resources. This vulnerability is a classic injection weakness (CWE\u201179).", "risk_and_exploitability": "The CVSS base score of 6.1 places the issue in the medium severity range, and the very low EPSS (<1%) indicates that exploitation is currently rare. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires that an attacker have high\u2011privileged access (teacher or administrator) to inject the payload. Once injected, the code runs with the victim\u2019s browser privileges, potentially compromising user data and session integrity. The presence of both a credential requirement and a stored payload further limits the attack surface but still poses significant risk to users of affected installations."}}}}, "created": "2026-02-04T12:09:22.217284+00:00", "updated": "2026-04-18T00:30:25.703464+00:00", "vendors": ["openeclass", "openeclass$PRODUCT$openeclass"]}