PT-2026-39496 · Unknown · Rocket Lms
Vulnerability-Lab
·
Published
2026-05-10
·
Updated
2026-05-10
·
CVE-2021-47907
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Rocket LMS version 1.1
Description
A persistent cross-site scripting issue exists in the support ticket module. Authenticated users can inject malicious script code via the
title parameter. This allows attackers to submit support tickets containing embedded HTML or JavaScript payloads that execute in the browsers of other users viewing the message history, potentially leading to phishing attacks and session hijacking (the unauthorized acquisition of a user's session token to impersonate them).Recommendations
As a temporary workaround, restrict access to the support ticket module or avoid using the
title parameter until a fix is applied.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rocket Lms