search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Cross-site scripting vulnerability in Lectora course navigation

Vulnerability Note VU#780141

Original Release Date: 2025-09-22 | Last Revised: 2025-09-22

Overview

Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. The vulnerability was initially patched in Lectora Desktop version 21.4 (October 25, 2022), but users must republish existing courses to apply the patch. This important republishing instruction was missing from the Desktop edition release notes, but it was included in the release notes for the recently patched Lectora Online (July 20, 2025). The CERT® Coordination Center is publishing this vulnerability note to amplify awareness as the Lectora software user base includes high-profile clients such as government agencies and large enterprises.

Description

The Lectora platform is used to create and publish interactive e-learning courses by ELB Learning. Lectora Inspire and Lectora Publisher are Desktop versions of the e-learning software, and Lectora Online is a cloud-based version.

Affected Versions

  • Lectora Inspire and Lectora Publisher desktop editions versions 21.0–21.3
  • Lectora Online versions 7.1.6 and older

Impact

Content published with Seamless Play Publish (SPP) enabled and Web Accessibility settings disabled in the affected versions can allow JavaScript injection via crafted URL parameters. Exploitation under this scenario could result in client-side script execution (e.g., alert or redirect), which poses a risk of session hijacking or user redirection.

Solution

The vulnerability is patched in Lectora Desktop (Publisher and Inspire version 21.4, released October 25, 2022) and Lectora Online (version 7.1.7, deployed July 20, 2025). To fully implement the solution:

  • For Lectora Desktop customers: Please download the version 21.4 patch or a later update from portal.elblearning.com. You must then republish any courses that were created using older software versions.
  • For Lectora Online customers: The update to version 7.1.7 was automatically applied on July 20, 2025. You must republish any courses that were created using older software versions.

Acknowledgements

Thanks to the reporter Mohammad Jassim for reporting this vulnerability. This document was written by Laurie Tyzenhaus.

Vendor Information

780141
 
Expand all

ELB Learning Affected

Notified:  2025-07-15 Updated: 2025-09-22

Statement Date:   August 05, 2025

CVE-2025-9125 Affected

Vendor Statement

Cross-site scripting vulnerability in Lectora course navigation

ELB Learning has remediated an issue that, under certain circumstance, could have allowed an attacker to execute arbirtrary JavaScript in the context of a user's session by injecting it via a parameter in published Lectora content.

Impact products: Lectora Desktop 21 (prior to version 21.4) and Lectora Online (prior to version 7.1.7 release July 20, 2025). If web accessibility is set in project options or if the course is published with Seamless Play Publish (SPP) disabled, the course is not impacted by this vulnerability.

CVSS 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Thanks Mohammad Jassim for reporting this vulnerability.

References


References

Other Information

CVE IDs: CVE-2025-9125
API URL: VINCE JSON | CSAF
Date Public: 2025-09-22
Date First Published: 2025-09-22
Date Last Updated: 2025-09-22 14:44 UTC
Document Revision: 1

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis