CVE-2021-47907 Overview
CVE-2021-47907 is a persistent cross-site scripting (XSS) vulnerability in Rocket LMS 1.1. The flaw exists in the support ticket module, where the title parameter is not properly sanitized before being rendered. Authenticated users can submit support tickets containing HTML or JavaScript payloads. These payloads execute in the browsers of administrators and other users who view the ticket message history. Successful exploitation enables session hijacking, credential theft via injected phishing forms, and unauthorized actions performed in the context of the victim user. The vulnerability is tracked under CWE-79 and is documented in the VulnCheck Advisory: Rocket LMS XSS.
Critical Impact
Authenticated attackers can store malicious JavaScript in support ticket titles, hijacking sessions of staff who review the ticket history.
Affected Products
- Rocket LMS 1.1
- Rocket Soft Learning Management System web application
- Support ticket module (title parameter)
Discovery Timeline
- 2026-05-10 - CVE-2021-47907 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2021-47907
Vulnerability Analysis
The vulnerability is a stored cross-site scripting flaw classified as [CWE-79]. Rocket LMS 1.1 accepts user-supplied input through the support ticket creation form. The application persists the title field to the database without applying HTML encoding or input sanitization. When another user, typically a support agent or administrator, opens the ticket history view, the stored payload is rendered into the document as executable markup. The injected script then runs with the privileges and session context of the viewing user.
Because the payload is stored server-side, exploitation does not require any phishing link or social engineering beyond submitting a ticket. Each subsequent view of the ticket triggers the payload, making this a reliable persistent vector against privileged users in the LMS application.
Root Cause
The root cause is missing output encoding on the support ticket title field. The server-side template renders the title directly into HTML without escaping characters such as <, >, and ". There is also no input-side allowlist filtering on submission, so script tags and event handler attributes pass through unchanged.
Attack Vector
Exploitation requires an authenticated low-privilege account, which any registered learner on the platform can obtain. The attacker opens a support ticket and places a JavaScript payload inside the title field, for example a <script> element or an HTML element carrying an onerror or onload handler. When a support agent or administrator views the ticket list or message history, the browser parses and executes the stored payload. The attacker can then exfiltrate session cookies, issue authenticated requests on behalf of the victim, or render a fake login overlay to harvest credentials. See Exploit-DB #50677 for the original public proof of concept.
No verified code example is available from a trusted source; refer to the linked Exploit-DB entry for the published proof of concept.
Detection Methods for CVE-2021-47907
Indicators of Compromise
- Support ticket records whose title column contains <script, onerror=, onload=, javascript:, or other HTML control characters
- Outbound HTTP requests from administrator browsers to unfamiliar domains immediately after viewing the support ticket queue
- Unexpected session token reuse from IP addresses that differ from the legitimate admin source
Detection Strategies
- Run database queries against the support ticket table to flag titles containing angle brackets or known XSS keywords
- Inspect web server access logs for POST requests to the ticket submission endpoint with payloads containing encoded script fragments
- Enable a Content Security Policy in report-only mode and review violation reports for inline script execution on ticket pages
Monitoring Recommendations
- Monitor administrator and support-agent browser sessions for anomalous DOM activity when ticket history views are loaded
- Alert on creation of new privileged accounts or password changes that follow a support-agent ticket review session
- Track failed and successful authentication events correlated with ticket viewing timestamps to identify session hijacking attempts
How to Mitigate CVE-2021-47907
Immediate Actions Required
- Restrict access to the Rocket LMS support ticket interface to trusted users until a fix is applied
- Audit existing support tickets and remove or sanitize any records that contain HTML or script content in the title field
- Force a password reset and session invalidation for any administrator or staff account that recently reviewed suspicious tickets
Patch Information
No official vendor patch is referenced in the available advisories. Consult the Rocket Soft LMS Portal for vendor updates and apply any newer release that addresses the support ticket sanitization defect. Until a fixed version is available, apply the workarounds below.
Workarounds
- Apply server-side HTML entity encoding to the title field on render, escaping <, >, ", ', and &
- Deploy a Content Security Policy that disallows inline scripts, for example Content-Security-Policy: default-src 'self'; script-src 'self'
- Add a web application firewall rule that blocks support ticket submissions containing <script, javascript:, or HTML event-handler attributes in the title parameter
- Validate input on submission with an allowlist that permits only plain text characters in ticket titles
# Configuration example: CSP header to block inline script execution in the LMS
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
