Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24665

CVE-2026-24665: Gunet Open Eclass Platform XSS Vulnerability

CVE-2026-24665 is a stored Cross-Site Scripting vulnerability in Gunet Open Eclass Platform that allows students to inject malicious code into assignments. This article covers technical details, affected versions, and mitigations.

Updated:

CVE-2026-24665 Overview

CVE-2026-24665 is a stored Cross-Site Scripting (XSS) vulnerability in the Open eClass platform, formerly known as GUnet eClass. The flaw affects all versions prior to 4.2. Authenticated students can inject malicious JavaScript into uploaded assignment files. The payload executes when an instructor views the submission, running in the instructor's browser context. The vendor patched the issue in version 4.2.

Critical Impact

Authenticated students can execute arbitrary JavaScript in instructor browser sessions, enabling session theft, credential harvesting, and unauthorized actions performed under instructor privileges.

Affected Products

  • GUnet Open eClass Platform versions prior to 4.2
  • Course management deployments using vulnerable assignment submission handlers
  • All instructor-facing submission review interfaces in pre-4.2 builds

Discovery Timeline

  • 2026-02-03 - CVE-2026-24665 published to NVD
  • 2026-02-10 - Last updated in NVD database

Technical Details for CVE-2026-24665

Vulnerability Analysis

The vulnerability is a stored XSS issue classified under [CWE-79], Improper Neutralization of Input During Web Page Generation. Open eClass accepts assignment file uploads from authenticated students. The platform fails to sanitize or encode file content before rendering it to instructors during submission review. When an instructor opens the malicious submission, the embedded JavaScript executes in the instructor's authenticated browser session. The scope change in the CVSS vector indicates the payload affects resources beyond the attacker's own security context, specifically the instructor's session.

Root Cause

The root cause is missing output encoding on assignment submission content rendered to instructors. The application treats uploaded file content as trusted display data rather than untrusted user input. Standard XSS defenses such as contextual HTML escaping or Content Security Policy enforcement are absent in the affected code path.

Attack Vector

An attacker requires a valid student account on the target Open eClass instance. The student uploads an assignment file containing crafted HTML or JavaScript payloads. When the instructor reviews the submission, the browser parses and executes the embedded script. The attacker can steal session cookies, perform actions as the instructor, modify grades, or pivot to other course resources. User interaction by the instructor is required, which constrains automated mass exploitation.

No verified proof-of-concept code is available. See the GitHub Security Advisory GHSA-2qgm-m7fm-m888 for vendor technical details.

Detection Methods for CVE-2026-24665

Indicators of Compromise

  • Assignment submission files containing <script> tags, javascript: URIs, or HTML event handlers such as onerror and onload
  • Unexpected outbound requests from instructor browsers to attacker-controlled domains shortly after viewing submissions
  • Anomalous grade modifications or course content changes attributed to instructor accounts without corresponding login activity

Detection Strategies

  • Scan stored assignment uploads for HTML tags, JavaScript keywords, and encoded script payloads using server-side content inspection
  • Review web server access logs for instructor sessions performing administrative actions immediately after /modules/work/ submission views
  • Correlate browser telemetry with Open eClass session activity to identify script execution in instructor contexts

Monitoring Recommendations

  • Enable verbose application logging for the assignment submission and review modules
  • Monitor for spikes in failed Content Security Policy violation reports if CSP is enforced
  • Track instructor account behavior for actions inconsistent with typical workflows, such as bulk grade changes or account modifications

How to Mitigate CVE-2026-24665

Immediate Actions Required

  • Upgrade all Open eClass deployments to version 4.2 or later without delay
  • Audit recent assignment submissions for malicious HTML or JavaScript content prior to instructor review
  • Reset instructor session tokens and rotate credentials if compromise is suspected

Patch Information

GUnet released the fix in Open eClass version 4.2. Administrators should follow the upgrade procedure documented in the GitHub Security Advisory GHSA-2qgm-m7fm-m888. Verify the installed version after upgrade by checking the platform configuration files.

Workarounds

  • Restrict assignment uploads to non-renderable file formats such as PDF until the upgrade is applied
  • Deploy a strict Content Security Policy that blocks inline script execution on instructor pages
  • Instruct faculty to download submissions and review them outside the browser rendering context
bash
# Verify Open eClass version after upgrade
grep -r "ECLASS_VERSION" /var/www/openeclass/include/baseTheme.php

# Example CSP header for the web server configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';";

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.