CVE-2026-24672: Open eClass Platform XSS Vulnerability

CVE-2026-24672 Overview

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Open eClass platform (formerly known as GUnet eClass), a complete course management system used in educational environments. Prior to version 4.2, authenticated students can inject malicious JavaScript into user profile fields. This malicious script is subsequently executed when users with viewing privileges access the affected application pages, potentially compromising user sessions and sensitive data.

Critical Impact

Authenticated attackers can inject persistent malicious scripts that execute in the context of other users' sessions, potentially leading to session hijacking, credential theft, and unauthorized actions within the learning management system.

Affected Products

• Open eClass platform versions prior to 4.2
• GUnet eClass (legacy name) versions prior to 4.2

Discovery Timeline

• 2026-02-03 - CVE-2026-24672 published to NVD
• 2026-02-04 - Last updated in NVD database

Technical Details for CVE-2026-24672

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability exists in the user profile functionality of the Open eClass platform. The application fails to properly sanitize user-supplied input in profile fields before storing it in the database and subsequently rendering it to other users. When a student creates or modifies their profile with malicious JavaScript code, this payload is stored persistently and executed in the browsers of any user who views the affected profile page.

The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which encompasses cross-site scripting flaws. Because the malicious payload is stored server-side and delivered to victims through normal application functionality, this represents a particularly dangerous form of XSS that can affect multiple users without requiring direct attacker interaction with each victim.

Root Cause

The root cause of this vulnerability is insufficient input validation and output encoding in the user profile functionality. The Open eClass platform does not adequately sanitize JavaScript and HTML content submitted through profile fields before storing it in the database. Additionally, the application fails to properly encode this data when rendering profile pages, allowing stored scripts to execute in the victim's browser context.

Attack Vector

An authenticated attacker with student-level access can exploit this vulnerability by injecting malicious JavaScript code into their user profile fields. The attack follows this sequence: the attacker first authenticates to the platform with valid student credentials, then navigates to profile editing functionality and inserts JavaScript payloads into vulnerable input fields. When other users (including administrators and instructors) view the attacker's profile or pages displaying profile information, the malicious script executes in their browser session. This can enable session hijacking, cookie theft, phishing attacks, or performing unauthorized actions on behalf of the victim.

The attack requires network access and low privileges (any authenticated student account), but depends on user interaction from the victim who must view the affected content for the payload to execute.

Detection Methods for CVE-2026-24672

Indicators of Compromise

• Unusual JavaScript code patterns in database entries for user profile fields
• Profile field values containing <script> tags, event handlers (e.g., onerror, onload), or JavaScript URIs
• Web application logs showing profile updates with encoded or obfuscated payloads
• User reports of unexpected browser behavior when viewing student profiles

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect XSS payload patterns in form submissions
• Enable Content Security Policy (CSP) headers and monitor for policy violations that may indicate XSS attempts
• Conduct regular database audits to identify stored payloads containing script tags or JavaScript event handlers
• Review web server logs for suspicious POST requests to profile update endpoints

Monitoring Recommendations

• Enable detailed logging for all user profile modification activities
• Configure alerts for CSP violation reports that may indicate XSS exploitation attempts
• Monitor for unusual session activity patterns that could indicate session hijacking via XSS
• Implement behavioral analysis to detect anomalous actions performed by user accounts following profile page views

How to Mitigate CVE-2026-24672

Immediate Actions Required

• Upgrade to Open eClass version 4.2 or later immediately
• Audit existing user profile data in the database for malicious scripts and remove any suspicious content
• Implement Content Security Policy headers to mitigate the impact of any stored payloads
• Review recent user profile changes for signs of attempted exploitation

Patch Information

The vulnerability has been addressed in Open eClass version 4.2. Organizations running affected versions should upgrade to this patched release as soon as possible. For detailed information about the security fix, refer to the GitHub Security Advisory.

Workarounds

• Implement a Web Application Firewall with XSS filtering rules to block malicious payloads in profile submissions
• Deploy strict Content Security Policy headers to prevent inline script execution
• Restrict profile viewing permissions to limit potential victim exposure until patching is complete
• Consider temporarily disabling user profile editing functionality if immediate patching is not feasible