CVE-2025-10388 is a cross-site scripting (XSS) vulnerability identified in Selleo Mentingo version 2025.08.27. The vulnerability exists in the processing of the 'Description' argument within the /api/course/enroll-course endpoint, specifically in the component responsible for creating new course basic settings. An attacker can remotely exploit this flaw by injecting malicious scripts into the Description field, which are then executed in the context of the victim's browser when the vulnerable application processes or displays this input. This type of vulnerability can lead to unauthorized actions such as session hijacking, defacement, or redirection to malicious sites. The vulnerability requires no authentication (AV:N, AT:N) but does require some level of user interaction (UI:P), such as a victim viewing the injected content. The CVSS 4.0 base score is 5.1, indicating a medium severity level, with low impact on confidentiality and availability but some impact on integrity due to script execution. The vendor was notified but did not respond, and no patches are currently available. Although no known exploits are reported in the wild, a public exploit exists, increasing the risk of exploitation.

For European organizations using Selleo Mentingo 2025.08.27, this vulnerability poses a moderate risk. Exploitation could allow attackers to execute arbitrary scripts in users’ browsers, potentially leading to theft of session tokens, user impersonation, or delivery of further malware. This is particularly concerning for educational institutions or corporate training environments that rely on Mentingo for course enrollment and management, as attackers could manipulate course descriptions to target administrators or students. The impact on confidentiality is limited but non-negligible, as sensitive user data could be exposed through session hijacking. Integrity is moderately affected due to the possibility of script injection altering displayed content or performing unauthorized actions. Availability impact is minimal. Since the vulnerability is remotely exploitable without authentication, attackers can target users broadly, increasing the risk of phishing or social engineering campaigns leveraging the vulnerability. European organizations with significant user bases on this platform may face reputational damage and compliance risks under GDPR if user data is compromised.

Given the lack of vendor response and absence of patches, European organizations should implement immediate compensating controls. First, apply strict input validation and output encoding on the Description field at the application or web server level to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Use Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting the /api/course/enroll-course endpoint. Educate users about the risks of clicking on suspicious links or interacting with untrusted course descriptions. Monitor logs for unusual activity related to course creation or enrollment APIs. If possible, restrict access to the vulnerable endpoint to trusted IP ranges or authenticated users only, reducing exposure. Finally, maintain regular backups and incident response plans to quickly recover from potential compromises.