Ignacio Lis Malagón

**Name of the Vulnerable Software and Affected Versions** Alumne LMS version 4.0.0.1.08 **Description** A Cross-Site Scripting (XSS) issue has been found in Alumne LMS, where an attacker could exploit the `localidad` parameter to inject a custom JavaScript payload. This could allow the attacker to partially take over another user's browser session due to the lack of proper sanitization of the `localidad` field on the "/users/editmy" page. The vulnerability can be exploited by a remote attacker to conduct Cross-Site Scripting attacks. **Recommendations** For version 4.0.0.1.08, as a temporary workaround, consider disabling the `localidad` parameter in the "/users/editmy" page until a patch is available. Restrict access to the "/users/editmy" page to minimize the risk of exploitation. Avoid using the `localidad` parameter in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.