CVE-2022-2035

Name of the Vulnerable Software and Affected Versions SCORM Engine versions prior to 20.1.45.914 SCORM Engine versions 21.1.x prior to 21.1.7.219

Description A reflected cross-site scripting (XSS) issue exists due to the lack of limitations on the domain or format of the url supplied by the user in the playerConfUrl parameter in the /defaultui/player/modern.html file. This allows an attacker to craft malicious urls that can trigger a reflected XSS payload in the context of a victim's browser.

Recommendations For SCORM Engine versions prior to 20.1.45.914, update to version 20.1.45.914 or later. For SCORM Engine versions 21.1.x prior to 21.1.7.219, update to version 21.1.7.219 or later. As a temporary workaround, consider restricting access to the playerConfUrl parameter in the /defaultui/player/modern.html file to minimize the risk of exploitation.