PT-2026-39496 · Unknown · Rocket Lms

Vulnerability-Lab

·

Published

2026-05-10

·

Updated

2026-05-10

·

CVE-2021-47907

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Rocket LMS version 1.1
Description A persistent cross-site scripting issue exists in the support ticket module. Authenticated users can inject malicious script code via the title parameter. This allows attackers to submit support tickets containing embedded HTML or JavaScript payloads that execute in the browsers of other users viewing the message history, potentially leading to phishing attacks and session hijacking (the unauthorized acquisition of a user's session token to impersonate them).
Recommendations As a temporary workaround, restrict access to the support ticket module or avoid using the title parameter until a fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2021-47907

Affected Products

Rocket Lms