CVE-2025-10388 is a cross-site scripting (XSS) vulnerability identified in Selleo Mentingo version 2025.08.27, specifically affecting the /api/course/enroll-course endpoint within the Create New Course Basic Settings component. The vulnerability arises from improper handling of the 'Description' argument, which allows an attacker to inject malicious scripts that execute in the context of the victim's browser. This vulnerability is remotely exploitable without requiring authentication, although user interaction is necessary to trigger the malicious payload. The vendor has been notified but has not responded or issued a patch. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity, no privileges required, and user interaction needed. The impact primarily affects confidentiality and integrity at a low level, with no direct impact on availability or system control. Exploitation could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user within the Mentingo platform. The exploit code is publicly available, increasing the risk of exploitation, although no known active exploitation has been reported yet.

For European organizations using Selleo Mentingo 2025.08.27, this vulnerability poses a moderate risk. As Mentingo is a platform likely used for course management and enrollment, exploitation could allow attackers to steal session tokens or manipulate user actions, potentially leading to unauthorized access to sensitive educational or organizational data. The impact is heightened in environments where Mentingo integrates with other internal systems or holds personally identifiable information (PII) of students or employees. Given the lack of vendor response and patch availability, organizations face an increased window of exposure. The medium severity suggests that while the vulnerability is not critical, it can still facilitate further attacks or data breaches if combined with other weaknesses. European organizations with high reliance on Mentingo for training or educational services should be particularly vigilant, as exploitation could undermine trust and compliance with data protection regulations such as GDPR.

Organizations should implement immediate compensating controls to mitigate the risk. These include input validation and output encoding on the client side to prevent script execution, deploying web application firewalls (WAFs) with rules targeting XSS payloads specific to the vulnerable endpoint, and monitoring logs for suspicious activity related to the /api/course/enroll-course endpoint. User education to recognize phishing attempts leveraging this vulnerability can reduce successful exploitation. Network segmentation to limit access to the Mentingo platform and enforcing strict Content Security Policy (CSP) headers can further reduce the impact of XSS attacks. Until an official patch is released, organizations should consider restricting or closely monitoring access to the vulnerable version of Mentingo, and if feasible, temporarily disabling the affected functionality. Regular vulnerability scanning and penetration testing focused on this vector are recommended to detect exploitation attempts.